b'Assessment of the SEC\xe2\x80\x99s Privacy\nProgram\n\n\n\n\n                                         September 29, 2010\n                                             Report No. 485\n\nAssessment and Review Conducted by C5i\n\x0c                                                      UNITED STATES\n                               SECURITIES AND EXCHANGE COMMISSION\n                                              WASHINGTON. D.C.    20S49\n\n      OI"I\'"ICE 01\'"\n\'N."I:CTOR GENI:RAL\n\n\n\n                                         MEMORANDUM\n                                                  September 29, 2010\n\n             To:             Jeffery Heslop, Chief Operating Officer (COO), and Acting Chief\n                               Information Officer (CIO), Office of Information Technology (OIT)\n                             Rosalind Tyson, Regional Director, Los Angeles Regional Office\n                              Sharon Sheehan, Associate Executive Director, Office of\n                               Administrative Services\n\n             From:           H. David Kotz, Inspector General, Office of Inspector   Gener#~\n             Subject:       Assessment of the SEC\'s Privacy Program, Report No. 485\n\n             This memorandum transmits the U.S. Securities and Exchange Commission\n             Office of Inspector General\'s (OIG) final report detailing the results of our\n             assessment of the SEC\'s Privacy Program. This review was conducted as part\n             of our continuous effort to\xc2\xb7 assess management of the Commission\'s programs\n             and operations, and as a part of our annual audit plan.\n\n             The final report contains 20 recommendations, which if implemented should\n             improve the Commission\'s security posture for protecting Personally Identifiable\n             Information. The COO/Acting CIO fully concurred with 12 of the 15\n             recommendations addressed to its office, partially concurred with 1\n             recommendation, and did not concur with 2 recommendations. The LARO\n             Regional Director and the Associate Executive Director, Office of Administrative\n             Services concurred with all the recommendations addressed to its office. The\n             written responses OIG received to the draft report are included in the\n             appendices.\n\n             Within the next 45 days, please provide the OIG with a written corrective action\n             plan that is designed to adcr:ass the agreed recommendations. The corrective\n             action plan should include inforr:!ation such as the responsible official/point of\n             contact, time frames for completing the required actions, and milestones\n             identifying how you will address the recommendations cited in this report.\n\n\n\n\n            Assessment of the SEC\xe2\x80\x99s Privacy Program                             September 29, 2010\n            Report No. 485\n                                                           ii\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me or Kelli Brown-Barnes at x-15674. We appreciate the courtesy and\ncooperation that you and your staff extended to our staff and contractors.\n\nAttachment\n\ncc:\n        Kayla J. Gillan, Deputy Chief of Staff, Office of the Chairman\n        Diego Ruiz, Executive Director, Office of the Executive Director\n        Rabia Cebeci, Senior Special Counsel, Los Angeles Regional Office\n        Todd Scharf, Chief Information Security Officer-Information Security,\n         Office of Information Technology\n        Barbara Stance, Chief Privacy Officer, Office of Information Technology\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                           September 29, 2010\nReport No. 485\n                                          iii\n\x0cAssessment of the SEC Privacy Program\n\n                                 Executive Summary\nBackground. The U.S. Securities and Exchange Commission (SEC or\nCommission) Office of Inspector General (OIG) contracted the services of C5i\nFederal, Inc. (C5i) to perform an assessment of the SEC\xe2\x80\x99s privacy policies and\nprocedures and the proper handling of Personally Identifiable Information (PII) in\nits headquarters (Station Place), Operations Center (OPC), and regional offices.\nThe privacy program assessment was conducted in two phases. First, in June\n2010, C5i assessed the SEC\xe2\x80\x99s Los Angeles Regional Office\xe2\x80\x99s (LARO) handling of\nPII data through a physical inspection, conducting interviews, and Network\nVulnerability Assessment (NVA) 1 of the SEC\xe2\x80\x99s computer network. Second, in\nJuly 2010, C5i performed an assessment of the SEC\xe2\x80\x99s systems located in Station\nPlace and the Operations Center, to evaluate their network security postures,\nand conducted a re-scan of seven of the eight servers previously assessed in\nLARO. In addition, C5i conducted an application vulnerability assessment on the\nSEC\xe2\x80\x99s \xe2\x80\x9cHUB\xe2\x80\x9d 2 application to determine how the Commission retained and\nsecured its PII data within this application. Additionally, C5i reviewed the status\nof a prior privacy assessment recommendation that was still open.\n\nObjectives. The primary objectives of the review were to:\n\n    \xe2\x80\xa2    Evaluate the adequacy of the SEC\xe2\x80\x99s Privacy Office\xe2\x80\x99s policies and\n         procedures, as well as its interaction and involvement with the\n         Commission offices and divisions to ensure SEC employees\xe2\x80\x99 privacy;\n    \xe2\x80\xa2    Perform an in-depth analysis of the privacy requirements and identify the\n         SEC processes and procedures that are used to conduct privacy reviews;\n    \xe2\x80\xa2    Assess whether the privacy office responds to privacy issues in\n         accordance with governing SEC, National Institute of Standards and\n         Technology (NIST), Office of Management and Budget (OMB) and other\n         government guidance and regulations to determine whether improvements\n         are needed;\n    \xe2\x80\xa2    Determine if the SEC has developed and implemented technical,\n         managerial, or operational privacy-related controls to effectively mitigate\n         known risks that are inherent to the Privacy Act\xe2\x80\x99s system of records;\n    \xe2\x80\xa2    Determine if the SEC has established procedures and automated\n         mechanisms to verify privacy control effectiveness;\n\n1\n  A NVA is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities found on a\nnetwork. It is performed using commercial-off-the-shelf tools used by assessors industry-wide.\n2\n  The HUB application is used by the SEC\xe2\x80\x99s Division of Enforcement for case activity tracking and was\nselected to be assessed based on the sensitive data contained within the application and the maturity of the\napplication.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                      September 29, 2010\nReport No. 485\n                                                      iv\n\x0c    \xe2\x80\xa2   Review governing Commission policy, guidance, and follow up on prior\n        recommendations;\n    \xe2\x80\xa2   Perform an assessment of an SEC regional office for proper handling of\n        PII and adherence to SEC privacy policies and procedures;\n    \xe2\x80\xa2   Perform a NVA at the LARO, Station Place, and OPC to evaluate the\n        security posture of the SEC network in protecting PII data; and\n    \xe2\x80\xa2   Perform an application assessment to ensure PII data is protected.\n\nResults. Overall, the assessments conducted identified significant concerns with\nthe manner in which the SEC handles PII data. Improper handling could result in\na significant data breach and the possible exploitation of PII or sensitive data.\nFurther, the SEC\xe2\x80\x99s ability to complete its mission could be jeopardized as a result\nof lack of trust by external parties to share PII data.\n\nSpecifically, our review identified high level vulnerabilities affecting SEC\ncomputer systems in the assessments of LARO as well as headquarters and the\nOPC that are vulnerable to exploitation and infiltration. We further found that\nwhile software vendors provide patches and updates to remediate security\nvulnerabilities identified in their software, the SEC has not applied these critical\npatches and updates, in some cases, going back as far as 2006. We also found\nthat the SEC has not been regularly reviewing the application of patches on a\nconsistent basis, which leaves the Commission vulnerable to attack.\n\nAdditionally, our assessments yielded additional areas of concerns. We found\nthat:\n\n    \xe2\x80\xa2   Office of Information Technology\xe2\x80\x99s (OIT) categorization of network\n        vulnerabilities does not accurately reflect the actual risk to the\n        environment;\n    \xe2\x80\xa2   Base images deployed on laptops are not compliant with Federal Desktop\n        Core Configuration (FDCC) requirements and all deviations are not\n        disclosed as required by OMB;\n    \xe2\x80\xa2   SEC laptops can connect to the SEC network via a local area network\n        (LAN) port while simultaneously connected to an external wireless\n        network, exposing the SEC network to potential compromise by a\n        malicious attacker;\n    \xe2\x80\xa2   The existence of design flaws in the development of the HUB application\n        could potentially result in a compromise of data;\n    \xe2\x80\xa2   PII at LARO is contained on shared drives without access controls,\n        allowing all LARO employees unfettered access to documents and data\n        that may be misused;\n    \xe2\x80\xa2   LARO employees violated the SEC Rules of the Road by sending\n        documents containing PII data to personal email accounts and by using\n        portable media that was not encrypted. In addition, LARO employees did\n        not adequately secure unencrypted portable media.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                              September 29, 2010\nReport No. 485\n                                          v\n\x0cFurther, through interviews with OIT staff and a physical assessment of office\nspace and storage areas at headquarters\xe2\x80\x99 offices, the OPC and LARO we found\nthat:\n\n    \xe2\x80\xa2   Documents containing PII data were casually left on work tables, fax\n        machines, and desks.\n    \xe2\x80\xa2   File rooms, file cabinets, and offices containing very sensitive information\n        were unsecured.\n    \xe2\x80\xa2   The SEC has no final policies or procedures for the destruction of portable\n        media storage devices, and secured storage bins were not accessible to\n        all Commission staff.\n\nThese findings indicate a significant risk to the SEC network and the security of\nthe data/documents handled by the agency.\n\nAlthough, OIT has already begun taking steps to mitigate and remediate risks by\nprogressively applying certain critical patches, significant additional work must be\ndone.\n\nSummary of Recommendations. We provided the SEC with 20 specific and\nconcrete recommendations to address the vulnerabilities identified in the review.\nSpecifically, we recommend that OIT and the Chief Operating Officer:\n\n        (1)   Apply patches and updates to the Commission\xe2\x80\x99s networks,\n              workstations and laptops on a timely basis;\n\n        (2)   Implement procedures to regularly review whether a newly-released\n              patch should or should not be applied to the environment;\n\n        (3)   Evaluate OIT\xe2\x80\x99s risk assessment process for scoring risk;\n\n        (4)   Define a standard recognized character set for every response\n              containing Hypertext Markup Language content;\n\n        (5)   Ensure Federal Desktop Core Configuration compliance for all base\n              images deployed on desktops and laptops;\n\n        (6)   Submit a complete list of common security standard deviations to the\n              National Institute of Standards and Technology per the Office of\n              Management and Budget\xe2\x80\x99s requirements;\n\n        (7)   Ensure that wireless cards installed on laptops are turned off when\n              connected to the SEC\xe2\x80\x99s local area network;\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                             September 29, 2010\nReport No. 485\n                                          vi\n\x0c        (8)   Implement an agency-wide policy regarding shared folder structure\n              and access rights based on \xe2\x80\x9cleast privilege;\xe2\x80\x9d\n\n        (9)   Ensure personal storage tab files be saved to a protected folder;\n\n        (10) Implement a policy that all portable media must be fully secured\n             when not in use;\n\n        (11) Appoint a privacy point of contact at each regional office;\n\n        (12) Implement a clean desk policy or require all offices be locked when\n             not occupied;\n\n        (13) Conduct additional training to ensure that staff understands the\n             handling of PII and sensitive data and their responsibilities in\n             protecting SEC information;\n\n        (14) Approve and implement operating procedures for hard drive wiping\n             and media destruction;\n\n        (15) Provide training on the handling, disposal, and storage of portable\n             media storage devices.\n\nIn addition, we recommend that the LARO:\n\n        (1)   Reemphasize the SEC Rules of the Road to LARO staff;\n\n        (2)   Enforce its encryption policy to protect sensitive data received by the\n              Commission;\n\n        (3)   Ensure that all file rooms and file cabinets at LARO are secured; and\n\n        (4)   Ensure that boxes of files in hallways are moved to secured areas.\n\nFurther, we recommend that the Office of Administrative Services provide\nsecured bins for disposal of portable media storage devices.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                               September 29, 2010\nReport No. 485\n                                          vii\n\x0cTABLE OF CONTENTS\nExecutive Summary ..................................................................................................... iv\n\nTable of Contents ....................................................................................................... viii\n\nBackground and Objectives ................................................................................. 1\n     Background ....................................................................................................... 1\n     Objectives .......................................................................................................... 4\n\nFindings and Recommendations ......................................................................... 6\n     Finding 1: The SEC Network Vulnerability Assessment Results Showed\n     Numerous Missing Vendor Issued Security Patches and Updates .................... 6\n                  Recommendation 1..................................................................... 11\n                  Recommendation 2..................................................................... 11\n\n         Finding 2: SEC OIT\xe2\x80\x99s Questionable Categorization of Network\n         Vulnerabilities May Impact the Certification and Accreditation (C&A)\n         Process ............................................................................................................ 12\n                         Recommendation 3..................................................................... 13\n\n         Finding 3: A Significant Vulnerability Was Identified in Assessment of\n         HUB Application ............................................................................................... 14\n                      Recommendation 4..................................................................... 15\n\n         Finding 4: The Base Images Currently Being Deployed to SEC Laptops\n         are Out of Date and Not Compliant with OMB Regulations .............................. 15\n                      Recommendation 5..................................................................... 16\n                      Recommendation 6..................................................................... 17\n\n         Finding 5: SEC Laptops Can Be Connected to the SEC Network Via LAN\n         Port While Simultaneously Connected to An External Wireless Network ......... 17\n                      Recommendation 7..................................................................... 18\n\n         Finding 6: Improper Handling of PII Data at LARO ......................................... 19\n                      Recommendation 8..................................................................... 21\n                      Recommendation 9..................................................................... 21\n                      Recommendation 10 ................................................................... 23\n                      Recommendation 11 ................................................................... 24\n                      Recommendation 12 ................................................................... 24\n                      Recommendation 13 ................................................................... 24\n                      Recommendation 14 ................................................................... 26\n                      Recommendation 15 ................................................................... 26\n                      Recommendation 16 ................................................................... 26\n                      Recommendation 17 ................................................................... 26\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                          September 29, 2010\nReport No. 485\n                                                         viii\n\x0c    Finding 7: The SEC Has No Final Policies or Procedures for the\n    Destruction of Portable Media Storage Devices ............................................... 27\n                  Recommendation 18 ................................................................... 28\n                  Recommendation 19 ................................................................... 28\n                  Recommendation 20 ................................................................... 29\nAppendices\n    Appendix I: Acronyms. .................................................................................... 30\n    Appendix II: Examples of PII Violations ........................................................... 31\n    Appendix III: Scope and Methodology ............................................................. 32\n    Appendix IV: Criteria ....................................................................................... 34\n    Appendix V: List of Recommendations ........................................................... 35\n    Appendix VI: Management Comments ............................................................ 38\n    Appendix VII: OIG Response to Management\xe2\x80\x99s Comments ........................... 46\n\nTables\n     Table1: Summary of LARO Network Vulnerability Assessment Scan\n       Results ............................................................................................................. 8\n     Table 2: Summary of SP, OPC, and Re-scan of LARO Network\n       Vulnerability Assessment Scan Results ........................................................... 9\n\nFigures\n     Figure 1: Unsecured Files Found in the Open Containing PII Data at\n      LARO ............................................................................................................. 31\n     Figure 2: Unsecured Files at LARO ................................................................ 31\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                         September 29, 2010\nReport No. 485\n                                                          ix\n\x0c                     Background and Objectives\nBackground\nOverview. The U.S. Securities and Exchange Commission (SEC or\nCommission) Office of Inspector General (OIG) contracted the services of C5i\nFederal, Inc (C5i) to perform an expert assessment of the SEC\xe2\x80\x99s Privacy policies\nand procedures, and the proper handling of Personally Identifiable Information\n(PII) in its headquarters and regional offices. The SEC has headquarters offices\nlocated in Washington, D.C., commonly referred to as Station Place (SP), and in\nAlexandria, Virginia, at an Operations Center (OPC). The SEC also maintains 11\nregional offices throughout the continental United States.\n\nC5i\xe2\x80\x99s expert assessment was conducted in two phases. First, in June 2010, C5i\nassessed the SEC\xe2\x80\x99s Los Angeles Regional Office\xe2\x80\x99s (LARO) handling of PII data\nthrough a physical inspection and interviews, and conducted a Network\nVulnerability Assessment (NVA) 3 of the SEC\xe2\x80\x99s computer network. LARO was\nselected as the regional office to be evaluated based on its size and the fact that\nit was last assessed by the Office of Information Technology (OIT) in 2008 and\nwas not due to be evaluated again until 2011.\n\nSecond, in July 2010, C5i performed an NVA of SP and OPC to evaluate their\nrespective network security postures, and conducted a re-scan of seven of the\neight servers previously assessed in LARO. The purpose of the re-scan was to\ndetermine if vulnerabilities identified during the June 2010 scans were\nremediated by OIT. In addition, C5i conducted an application vulnerability\nassessment on the SEC\xe2\x80\x99s \xe2\x80\x9cHUB\xe2\x80\x9d 4 application to determine how the Commission\nretained and secured its PII data within this application.\n\nAt the onset of the assessment, C5i met with the SEC\xe2\x80\x99s Chief Information Officer\n(CIO), and Privacy Officer to establish technical Rules of Engagement (ROE) due\nto the requirements needed to perform the technical assessments (NVA and\nApplication Assessment). The technical ROE set forth the limitations,\nrequirements, and detailed specific data, information (i.e., network switches,\npasswords, accounts, Internet access, private rooms, etc.), and access rights\nand privileges C5i would need to carry-out assessments of the SEC\xe2\x80\x99s PII. In\n\n\n\n\n3\n  A Network Vulnerability Assessment is the process of identifying, quantifying, and prioritizing (or ranking)\nthe vulnerabilities found on a network. It is performed using commercial off-the-shelf tools used by\nassessors industry-wide.\n4\n  The HUB application is used by the SEC\xe2\x80\x99s Division of Enforcement for case activity tracking and was\nselected to be assessed based on the sensitive data contained within the application and the maturity of the\napplication.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                   September 29, 2010\nReport No. 485\n                                                  Page 1\n\x0caddition, the technical ROE identified the systems that were to be assessed and\nwas approved and signed by all respective parties on June 23, 2010. 5\n\nOne of the key elements of the technical ROE that was discussed extensively by\nall parties was the OIG requirements pertaining to the appropriate level of\ncredentials (user id and passwords) necessary to perform the assessments. The\nOIG informed OIT that a temporary test Domain Administrative account 6 was\nrequired to conduct an effective review of SEC security posture as it related to\nprivacy. After the OIT Assistant Director of Infrastructure Engineering expressed\nconcern about the level of access agreed to in the ROE, the OIG agreed that it\nwould use an account with limited privileges (utilized previously by the General\nAccountability Office in a previous review), however, a separate Test Domain\nAdministrator account would be created as a fall back, in the event that the\naccount assigned to the OIG experienced problems or was unable to satisfy the\nrequirements of the assessments.\n\nPrior OIG Work Conducted in 2009/2010. The OIG conducted a prior Privacy\nassessment in 2009/2010, 7 which resulted in one recommendation that remains\nopen. The report found that OIT had not finalized all its outstanding draft privacy\nrelated policies and procedures nor had they been fully implemented throughout\nthe Commission.\n\nOverview of Technical Assessments at LARO. C5i conducted its on-site\nassessment at LARO from June 25 to July 2, 2010. LARO is located in\ndowntown Los Angeles and it consists of 162 SEC employees and contractors\nand five interns. LARO has offices on the                                     and the\n                            of a public, 25-story building and requires an SEC\naccess card to stop on the                  . The                   do not require\ncard access for the elevators as they are shared with other tenants, but card\naccess is required to enter the SEC space and conference rooms. The technical\nand physical assessments at LARO were conducted over an eight-day period,\nbeginning on the morning of June 25, 2010. The assessments consisted of\nperforming an NVA of the servers, workstations/laptops deployed to LARO staff,\nrecently imaged laptops not yet deployed to personnel and a physical\nassessment of the LARO facilities. The purpose of this work was to verify the\nsecurity of the network and workstations/laptops, the protection and proper\nhandling of electronic PII data, and a physical inspection of the facilities for the\nproper handling of hard copy PII data.\n\n\n\n5\n   The respective parties were: the former Chief Information Officer; the Inspector General; the Chief\nInformation Security Officer; and the president and CEO of C5i Federal, Inc.\n6\n   A domain administrator account is an account that has power over all computers, including domain\ncontrollers, within the domain. This means that this user account can logon to any computer, access any\nfile, and install any application by default.\n7\n   Report No. 475, Evaluation of the SEC Privacy Program, issued March 26, 2010.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                  September 29, 2010\nReport No. 485\n                                                Page 2\n\x0cIn order to conduct an effective assessment, in accordance with the technical\nROE, the assessment of LARO was unannounced. Only the LARO Director, the\nAssociate Director and physical security personnel were informed about C5i\xe2\x80\x99s\nvisit. The purpose of conducting this \xe2\x80\x9csurprise\xe2\x80\x9d assessment was to ensure that\ninformation was not updated or modified prior to the work.\n\nC5i began its technical assessment at LARO on June 25, 2010, at 4:00 p.m.,\npacific daylight time (PDT). C5i\xe2\x80\x99s network assessments were performed on the\nLARO servers, a sampling of 66 deployed workstations/laptops, and two newly\nimaged laptops that had not yet been deployed to the field. The scans yielded a\nsignificant number of high level vulnerabilities, 8 which were vetted through a\nmanual verification process to ensure the accuracy of the scan data and to\neliminate false positives. Once the vetting was completed, C5i and the OIG\nimmediately notified OIT, in accordance with the technical ROE. Numerous calls\nwere held with staff from OIT and the OIG on June 27, 2010 and the assessment\nfindings were presented and discussed during a June 28, 2010 teleconference\nwith the Chief Information Security Officer (CISO), the Associate Director of\nInfrastructure Engineering, and the OIG.\n\nIn addition to the network vulnerabilities discovered, C5i\xe2\x80\x99s assessment identified\nemails containing PII sent to employees\xe2\x80\x99 personal email addresses, shared\nfolders lacking access controls, and instances in which the base image for\nlaptops was not Federal Desktop Core Configuration (FDCC) compliant. These\nare detailed in the findings section of this report.\n\nOverview of Physical Assessment Conducted at LARO. As part of the\nevaluation of LARO, C5i also conducted a physical evaluation of the SEC space\nto verify the proper handling/storage of PII and compliance with SEC policies and\nprocedures. The staff at LARO was very accommodating and cooperative,\nproviding a secure work area, full access to the space both on and off hours, and\nnecessary access to storage areas. C5i physically inspected all areas of the\nSEC space, file rooms located in the space, as well as storage space located in\n                             . The physical assessment was conducted from June\n25 to June 26, 2010. During the physical evaluation, C5i found evidence of PII\ndata being handled incorrectly \xe2\x80\x93 unsecured documents and files, and\nunencrypted media. These findings are detailed in the findings section of this\nreport.\n\nOverview of Assessment Conducted at SP, OPC, Re-scan of LARO, and\nHUB application. After undertaking an analysis of current SEC applications that\nstored PII data, the OIG chose to assess the Division of Enforcement\xe2\x80\x99s\n(Enforcement) HUB system to assess. The HUB system is a case management\nand tracking system that has been in place since 2008, and is the primary\n\n8\n  We note that OIT disagrees with the OIG\xe2\x80\x99s determination that the vulnerabilities should be considered at a\n\xe2\x80\x9chigh level.\xe2\x80\x9d\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                  September 29, 2010\nReport No. 485\n                                                 Page 3\n\x0csystem used by Enforcement\xe2\x80\x99s staff attorneys, accountants, and branch chiefs to\ntrack and manage ongoing matters.\n\nSince the HUB application could not be taken offline to be assessed, in light of its\nneed to be continuously available to Commission staff, OIT provided an exact\nduplicate of the data and allowed the assessment to be conducted in the\ntest/staging environment. Credentials were provided for the access required per\nthe technical ROE and the test was conducted July 23, 2010 through July 25,\n2010.\n\nIn addition to the HUB application security assessment, C5i conducted a NVA on\nthe SP and OPC networks, as well as servers and workstations at both locations.\nA re-scan of the LARO network was also performed. This re-scan yielded similar\nresults to the June 2010 scans, although there were fewer high level\nvulnerabilities, demonstrating that some patching/remediation had taken place.\n\nDetailed findings from the NVA for SP and OPC, the re-scans for LARO, and the\nonsite application security assessment (OASA) of HUB are located in the findings\nsection of this report.\n\nOverview of Assessment Privacy Policies and Procedures. In addition to\ntechnical assessments, C5i conducted interviews with Privacy Office staff, and\nreviewed privacy policies and procedures documents, system of records notices\n(SORNs) and incidents involving loss of PII. These interviews and reviews were\nperformed throughout the assessment period, April to August 2010.\n\nObjectives\nThe OIG contracted with C5i to conduct an assessment of SEC\xe2\x80\x99s privacy policies\nand procedures and handling of PII in accordance with the following specific\nobjectives:\n\n        \xe2\x80\xa2   Evaluate the adequacy of the SEC\xe2\x80\x99s Privacy Office\xe2\x80\x99s policies and\n            procedures, as well as its interaction and involvement with the\n            Commission offices and divisions to ensure SEC employee\xe2\x80\x99s privacy.\n\n        \xe2\x80\xa2   Perform an in-depth analysis of the privacy requirements and identify\n            the SEC processes and procedures that are used to conduct privacy\n            reviews.\n\n        \xe2\x80\xa2   Assess whether the Privacy Office responds to privacy issues in\n            accordance with governing SEC, National Institute of Standards &\n            Technology (NIST), Office of Management and Budget (OMB) and\n            other government guidance and regulations to determine whether\n            improvements are needed.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                             September 29, 2010\nReport No. 485\n                                          Page 4\n\x0c        \xe2\x80\xa2   Determine if the SEC has developed and implemented technical,\n            managerial, or operational privacy-related controls to effectively\n            mitigate known risks that are inherent to the Privacy Act\xe2\x80\x99s system of\n            records.\n\n        \xe2\x80\xa2   Determine if the SEC has established procedures and automated\n            mechanisms to verify privacy control effectiveness.\n\n        \xe2\x80\xa2   Review governing Commission policy and guidance, and follow up on\n            prior OIG recommendations.\n\n        \xe2\x80\xa2   Perform an assessment of an SEC regional office for proper handling\n            of Personally Identifiable Information and adherence to SEC privacy\n            policies and procedures.\n\n        \xe2\x80\xa2   Perform a Network Vulnerability Assessment at the Los Angeles\n            Regional Office, Station Place, and the Operations Center to evaluate\n            the security posture of the SEC network in protecting PII data.\n\n        \xe2\x80\xa2   Perform an application assessment to ensure PII data is protected.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                              September 29, 2010\nReport No. 485\n                                          Page 5\n\x0c                 Findings and Recommendations\n\nFinding 1: The SEC Network Vulnerability\nAssessment Results Showed Numerous Missing\nVendor Issued Security Patches and Updates\n           Critical patches and updates released by software vendors\n           for vulnerabilities known to be exploitable have not been\n           applied to the SEC network, which could jeopardize the\n           confidentiality, integrity, and availability of PII or sensitive\n           data. As a result, the network is vulnerable to compromise\n           by known threats.\n\nDuring the NVA of LARO, in June 2010, and SP and OPC, in July 2010, C5i\nfound that critical patches issued by software vendors to correct known\nvulnerabilities had not been applied in a timely and effective manner. Applying\nthese critical patches would remediate or mitigate the likelihood of exploitation of\na vulnerability. Consequently, C5i found the SEC\xe2\x80\x99s network to be vulnerable to\nwell-known weaknesses identified by vendors, and that it could be compromised\nby a malicious user, resulting in a significant data breach and possible\nexploitation of PII or sensitive data.\n\nThe selection of C5i\xe2\x80\x99s assessment locations was based on the current OIT\nschedule of field offices and population of staff. The LARO location provided the\nOIG with a view into the security posture of a field office\xe2\x80\x99s network that had not\nbeen assessed by OIT in the past two years, and was not scheduled for an OIT\nassessment until 2011. SP and OPC offices were selected due to the large\namount of network servers located at these facilities. During the assessments,\nC5i used a number of commercial off-the-shelf and open source vulnerability\nassessment tools, 9 and conducted manual checks to provide adequate cross-\nchecking and the capability to verify results and reduce or eliminate the number\nof false positives. These tools classify vulnerabilities as high, medium and low,\nbased on their potential impact, severity, and potential for exploitability.\n\nThe technical ROE provided that the OIG was to receive the following network\ncredentials to provide sufficient access to conduct appropriate vulnerability scans\nof the network:\n\n\n\n9\n    The commercial off-the-shelf vulnerability assessment tools used during C5i\xe2\x80\x99s assessment included:\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                  September 29, 2010\nReport No. 485\n                                                   Page 6\n\x0c     \xe2\x80\xa2   Three separate Microsoft Server Local Administrator accounts.\n     \xe2\x80\xa2   Three separate Microsoft Domain Administrator accounts.\n     \xe2\x80\xa2   Three separate workstation and laptop Administrator accounts.\n     \xe2\x80\xa2   Three UNIX user and root level accounts, if applicable.\n\nAt the time of the assessment, the SEC network was comprised of 749 servers 10\nand 5,268 workstation/laptops. C5i\xe2\x80\x99s network vulnerability assessment sample\nincluded eight network servers, 66 deployed workstations/laptops, and to two\nnewly-imaged laptops located at LARO, 11 and 59 network servers and three\nworkstations located in OPC and SP. C5i also conducted a re-scan of seven\nservers in LARO to identify any patching updates since the scans in June. C5i\xe2\x80\x99s\nassessment did not include routers, network switches, firewalls, intrusion\ndetection or prevention systems, proxy servers, anti-virus, and related\ninfrastructure security systems.\n\nVendors Provide Patches and Updates. Software vendors provide patches\nand updates to remediate security vulnerabilities identified in their software.\nThese patches and updates are made available through the software vendors\xe2\x80\x99\nwebsite as they are released. It is the SEC\xe2\x80\x99s responsibility to download, test, and\ndeploy these patches to their network to reduce the risk associated with the\nvulnerability. NIST 800-53, Recommended Security Controls for Federal\nInformation Systems and Organization provides guidance to government\norganizations on flaw remediation, e.g., patching and updates. The NIST\nguidance provides that an organization should identify, report, and correct\ninformation system flaws; test software updates related to flaw remediation for\neffectiveness and potential side effects on organizational information systems\nbefore installation; and incorporate flaw remediation into the organizational\nconfiguration management process. 12\n\nLARO Network Vulnerability Assessment. Scanning of the LARO network\nbegan on June 25, 2010 at approximately 6:00 p.m. PDT and continued, non-\nstop, through the early morning hours of June 28, 2010. Verification of the\naccuracy, testing, and review of the findings to eliminate or reduce the number of\nfalse positives identified during the assessment of the LARO network continued\nthrough July 2, 2010. The results are described in Table 1 below, and illustrate\nthe SEC\xe2\x80\x99s high level vulnerabilities identified during the assessment at LARO.\nC5i used a combination of commercial off-the-shelf and open source vulnerability\nassessment tools during the assessment and categorization by software vendors\n\n10\n   A server is a computer host on a network that runs an operating system, application software, database,\netc.\n11\n   These workstations/laptops had not been deployed by OIT, but did receive the current SEC OIT approved\nimage prior to conducting the assessment. In addition, these workstations/laptops were connected to the\nSEC network to ensure that the latest patches and security updates from OIT were applied.\n12\n   The National Institute of Standards and Technology\xe2\x80\x99s (NIST), Special Publication 800-53, Rev 3,\nRecommended Security Controls for Federal Information Systems and Organization, August 2009, page F-\n124.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                 September 29, 2010\nReport No. 485\n                                                Page 7\n\x0cto determine the vulnerability levels for each type of device. The assessment\nidentified 175 high-level vulnerabilities affecting eight servers, 67 high-level\nvulnerabilities affecting two new workstations/laptops, and 1,613 high-level\nvulnerabilities affecting 66 deployed workstations/laptops, as Table 1 below\nindicates.\n\n     Table 1: Summary of LARO Network Vulnerability Assessment Scan\n     Results\n     Vulnerability           Number of Vulnerabilities by Device\n         Level                                              Deployed\n                                New Workstations\n                   Servers - 8                          Workstations and\n                                 and Laptops - 2\n                                                           Laptops - 66\n     High             175               67                    1,613\n     Medium            66               11                     287\n     Low              824               163                   4,679\n     Source: Generated by C5i\n\nThe significant number of high-level vulnerabilities increases the likelihood that\nthe SEC\xe2\x80\x99s LARO network is vulnerable to exploitation and infiltration by a person\nwith ill-intent.\n\nPer the ROE signed by OIT, OIG, and C5i, on June 27, 2010, C5i immediately\nnotified OIT of the high vulnerabilities found during the assessment. The\nassessment findings were presented and discussed during a teleconference on\nJune 28, 2010 with the CISO, Associate Director of Infrastructure Engineering,\nand the OIG. OIT did not take immediate emergency action when presented with\nthis evidence of the significant number of high-level vulnerabilities at LARO.\nAccording to OIT, immediate emergency action was not taken because the\nvulnerabilities did not present imminent danger and patches were subsequently\ndeployed according to prioritization.\n\nSP and OPC Network Vulnerability Assessment, including a re-scan of\nLARO. On July 24, 2010, C5i conducted a NVA of the SEC\xe2\x80\x99s network servers,\nworkstations, and laptops at SP, OPC, and a re-scan of LARO servers.\nAltogether, C5i assessed a total of 59 network servers at SP and OPC, 13 re-\nscanned 7 LARO servers, 14 and assessed images from 3 SEC machines (2\nworkstations and one laptop). Upon conclusion of the assessment, as with the\nassessment at LARO, C5i verified the accuracy of the test results to eliminate\nand/or reduce any false positives identified during the assessment of SP, OPC,\nand re-scan results of LARO.\n\n\n13\n  Of the 59 servers assessed at SP and OPC, 46 were from the SP and 13 were from the OPC.\n14\n  Due to time constraints, seven servers were re-scanned. The re-scan was performed to determine if\npatches had been applied and the vulnerabilities remediated in approximately 30 days since the June 2010\nassessment.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                September 29, 2010\nReport No. 485\n                                               Page 8\n\x0cTable 2, shown below, illustrates the high-level vulnerabilities we identified during\nour assessment of SP, OPC, and the re-scan of the LARO servers. C5i used the\nsame commercial off-the-shelf and open source vulnerability assessment tools\nand categorization processes as it did during the review of LARO in June 2010.\nThe assessment of SP, OPC, and re-scan of LARO identified 1,020 high-level\nvulnerabilities affecting the 59 servers, 30 high-level vulnerabilities affecting three\nnew workstations/laptops, and 109 high-level vulnerabilities affecting the seven\nre-scanned LARO servers.\n\nTable 2: Summary of SP, OPC, and Re-Scan of LARO Network Vulnerability\nAssessment Scan Results\n Vulnerability             Number of Vulnerabilities by Device\n     level                        Deployed\n                                                      Re-Scanned LARO\n               Servers - 59   Workstations and\n                                                          Servers - 7\n                                 Laptops - 3\n High             1,020               30                      109\n Medium            356                 9                       45\n Low              5,204               239                     722\nSource: Generated by C5i\n\nBased on the assessment of SP, OPC, and re-scan of LARO, C5i identified a\nsignficant number of high level vulnerabilities affecting servers, workstations, and\nlaptops. The significant number of high-level vulnerabilities increases the\nlikelihood that the SEC\xe2\x80\x99s SP, OPC, and LARO networks are vulnerable to\nexploitation and infiltration by a person with ill-intent. C5i confirmed during the\nre-scan of the LARO servers that OIT took action to begin implementing patches\nand updates to the LARO servers to remediate or mitigate the risk of exposure;\nhowever, there were still a significant number of high-level findings on each\nserver. Therefore, the SEC\xe2\x80\x99s SP, OPC, and LARO networks remain highly\nvulnerable to exploits by an individual with ill-intent.\n\nCritical Updates and Patches Need to Be Applied. Based on the network\nvulnerability assessment of components of the SEC\xe2\x80\x99s enterprise network, C5i\ndetermined that critical patches and vendor supplied updates had not been\napplied going back as far back as 2006, resulting in years of potential\nvulnerabilities that could have been exploited. The following patches have been\nmade available by software vendors:\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                               September 29, 2010\nReport No. 485\n                                          Page 9\n\x0c        Software Vendor                                   Year Patches Made Available\n        Sun Vulnerabilities\n        Microsoft Vulnerabilities\n        HP Vulnerabilities\n        Realplayer\n        Shockwave\n\nAs indicated above, C5i\xe2\x80\x99s review found that OIT has not applied patches and\nupdates released by software vendors to the SEC network on a consistent basis.\nIn addition, C5i determined that some system patches were several versions\nbehind the current patch level that is recommended by the software vendor to\nadequately remediate known software vulnerabilities. It should be noted that\nmajor software vendors, such as Microsoft provide patches on a minimum of a\nmonthly basis. Patches are also issued by the vendors on an ad-hoc basis to\naddress a vulnerability that has severely impacted systems, e.g., in August 2010\na vulnerability was identified in Adobe Acrobat Reader that would allow remote\nattackers to execute arbitrary code on a user\xe2\x80\x99s computer. In addition, the longer\nthe delay between the time a known vulnerability has been reported to the\nvendor and the time the patch is actually applied, the greater the chance that\nhackers have found a means of exploiting the vulnerability. Further, other\nagencies have established processes and procedures to regularly review\nwhether a newly-released patch applies to the agency\xe2\x80\x99s needs and requirements.\nC5i found in its assessment that the OIT has not been regularly reviewing the\napplication of patches on a consistent basis which leaves them vulnerable to\nattack.\n\nAs a result of not implementing patches and vendor-issued security updates in a\ntimely manner, the SEC\xe2\x80\x99s systems were found to be highly vulnerable to\ncompromise, infiltration, and exfiltration of PII and sensitive data. Further, lack of\na proactive patch management process increases the time and effort spent by\nstaff in responding after an exploitation has occurred. In the event that the SEC\nis exploited and data is compromised, the Commission\xe2\x80\x99s reputation and ability to\nhave the securities industry voluntarily provide data will become more\nchallenging, which could impact the SEC\xe2\x80\x99s ability to meet its mission to protect\ninvestors, maintain fair, orderly, and efficient markets, and facilitate capital\nformation. The OIT should review its systems, procedures, and apply patches,\nas appropriate, on a recurring, timely basis to the entire SEC enterprise network\nto ensure adequate security of its systems.\n\nPrior OIG Reviews. The SEC\xe2\x80\x99s OIG performed independent assessments of the\nconfidentiality, integrity and availability of SEC data at OPC and its Northeast and\nSoutheast regional offices from 2004 to 2005, and issued two reports. 15 During\n\n15\n  Report No. 392, Northeast Regional Office (NERO) Information Management, issued February 14, 2005\nand Report No. 400, Southeast Regional Office (SERO) Information Technology Management, issued\nMarch 24, 2005.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                           September 29, 2010\nReport No. 485\n                                            Page 10\n\x0cour present assessment, we compared the results of those Network Vulnerability\nAssessments with the current 2010 results of OPC, SP, and LARO. Our findings\nrevealed that the security posture of the SEC network and systems was\nsignificantly higher during the 2004 to 2005 timeframe. Based on this analysis,\nC5i concluded that there has been a significant degradation in the SEC\xe2\x80\x99s security\nposture over the last five years and a significant amount of procedural, policy,\nand management changes in OIT may have resulted in this degradation.\n\n\n\n\nAs indicated previously, since the OIG\xe2\x80\x99s notification to OIT regarding the lack of\ncontrols in applying patches and software vendor updates, the OIT has begun\nimplementing patches and updates; however, we determined during the\nassessment of SP, OPC, and re-scans of LARO that many critical patches and\nvendor supplied updates have not, as of yet, been applied. As a result, the SEC\nnetwork, workstations, and laptops remain highly vulnerable to attack by a\nmalicious user and could result in a data breach. Updating the SEC servers,\nworkstations, and laptops with the current available patches will significantly\nreduce the number of vulnerabilities to the SEC network and lessen the likelihood\nthat the SEC\xe2\x80\x99s network will be compromised and PII or sensitive data will be\nexploited.\n\n        Recommendation 1:\n\n        The Office of Information Technology should apply patches and updates\n        to the Commission\xe2\x80\x99s networks, workstations, and laptops on a timely\n        basis. All future patches should be applied within       of vendor\n        release, with emergency patches being applied on an ad-hoc basis to\n        protect the agency\xe2\x80\x99s systems and data.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\n        Recommendation 2:\n\n        The Office of Information Technology should implement formal processes\n        and procedures to regularly review whether a newly-released patch should\n        or should not be applied to the environment.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                           September 29, 2010\nReport No. 485\n                                          Page 11\n\x0c         OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n         this recommendation.\n\nFinding 2: SEC OIT\xe2\x80\x99s Questionable\nCategorization of Network Vulnerabilities May\nImpact the Certification and Accreditation (C&A)\nProcess\n         The SEC\xe2\x80\x99s questionable categorization of vulnerabilities may\n         impact its internal C&A process.\n\nSystems, such as the HUB application, are given a risk impact categorization\nbased on the Federal Information Process Publication 199 (FIPS 199) Standards\nfor Security Categorization of Federal Information and Information Systems.\nThese systems are categorized as low, moderate, or high impact based on the\nlevel of adverse effect a data breach would have on an organization\xe2\x80\x99s operations,\nassets, and personnel. If a data breach occurs on a low impact system, the\nimpact is expected to be limited, a moderate system has a more serious impact,\nand a high system is one that would have a severe or catastrophic impact in the\nevent of a data breach.\n\nSeparate from the FIPS 199 rating for systems, any vulnerabilities found on an\noperating system such as Microsoft Windows, are classified with risk factors\nusing a combination of the National Vulnerability Database (NVD), 16 the\nCommon Vulnerability Scoring System (CVSS), 17 and Common Vulnerabilities\nand Exposures (CVE) 18 Identifiers. All use the classification of high, medium,\nlow, or notes/Informational, depending on the severity of the vulnerability found\non the operating system.\n\nAccording to NIST standards, an agency must receive an Authorization to\nOperate (ATO) 19 prior to moving an application into the production environment\n\n\n\n\n16\n   NVD is a part of the NIST Computer Security Division and is sponsored by the Department of Homeland\nSecurity\xe2\x80\x99s National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS,\nNSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content\nrepository for the Security Content Automation Protocol (SCAP). All vulnerabilities that are reported to NVD\nare siphoned through US\xe2\x80\x93CERT (Computer Emergency Readiness Team).\n17\n   CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT\nvulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities\nby communicating the base, temporal and environmental properties of vulnerability.\n18\n   CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common\nidentifiers for publicly known information security vulnerabilities.\n19\n   An ATO is the authorization, usually by the CISO, required to put a system into production.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                   September 29, 2010\nReport No. 485\n                                                  Page 12\n\x0cfor common use. As part of NIST\xe2\x80\x99s guidance for C&A, an ATO cannot be\ngranted if high level vulnerabilities have not been remediated. 20\n\nC5i identified several SEC systems that would have a severe impact to the\nSEC\xe2\x80\x99s mission and operations in the event of a data breach. Further, C5i\nidentified multiple vulnerabilities categorized as \xe2\x80\x9chigh\xe2\x80\x9d by vendors, including,\nMicrosoft and Adobe, who made these determinations using industry standard\nratings for vulnerabilities (e.g., the NVD, CVSS or CVE.) Notwithstanding the\nfact that both C5i and these vendors identified multiple vulnerabilities at the\n\xe2\x80\x9chigh\xe2\x80\x9d level, OIT concluded that there were no \xe2\x80\x9chigh\xe2\x80\x9d level vulnerabilities and\ndowngraded all their vulnerabilities to the \xe2\x80\x9cmedium\xe2\x80\x9d level. C5i was unable to\nunderstand how the SEC came to this conclusion and has concerns that OIT did\nnot adequately weight the determinations of the vendors in its risk\ncalculation/classification procedures.\n\nOIT has developed its risk calculation to include other weighted values such as\nmitigating controls (i.e., firewalls, intrusion detection systems) and the likelihood\nof the occurrence of an event and used this classification process during the\nmandatory Security, Test, and Evaluation 21 phase of the SEC\xe2\x80\x99s C&A 22 process.\n\nOIT\xe2\x80\x99s determination to downgrade all vulnerabilities to a \xe2\x80\x9cmedium\xe2\x80\x9d level\nnotwithstanding the identification by the vendors of multiple vulnerabilities at the\n\xe2\x80\x9chigh\xe2\x80\x9d level, allowed the SEC to receive an ATO, perhaps inappropriately. C5i\nhas concerns that by not classifying risks adequately, the SEC systems could\nhave been exposed to high-level vulnerabilities that can easily be exploited and\nresult in a data breach, unauthorized access, as well as disclosure of PII and\nother sensitive information.\n\n        Recommendation 3:\n\n        The Office of Information Technology should evaluate its risk assessment\n        process for scoring risk to ensure that it adequately weights all appropriate\n        factors, including the identification of risk levels by vendors.\n\n\n\n\n20\n   The National Institute of Standards and Technology\xe2\x80\x99s Special Publication 800-37, revision 1, Guide for\nApplying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,\nFebruary 2010, page F-4.\n21\n   Security Test and Evaluation is an examination and analysis of the safeguards required to protect an\ninformation system, as they have been applied in an operational environment, to determine the security\nposture of that system.\n22\n   C&A is required by the Federal Information Security Management Act (FISMA) of 2002, and is the process\nused to evaluate systems and major applications ensuring adherence to formal and established security\nrequirements that are well documented and authorized. All systems and applications that reside on U.S.\ngovernment networks must be evaluated with a formal C&A before being put into production. Systems are\nevaluated annually. This is referred to as \xe2\x80\x9cContinuous Monitoring\xe2\x80\x9d - and are re-accredited every three years\nor sooner if major changes to the systems are made.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                  September 29, 2010\nReport No. 485\n                                                Page 13\n\x0c        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\nFinding 3: A Significant Vulnerability Was\nIdentified in Assessment of HUB Application\n        The HUB application has a significant vulnerability that may\n        be exploited resulting in data being compromised.\n\nAs discussed above, the OIG selected the HUB application for assessment\nbecause it contains PII data and it is actively used by Commission staff. The HUB\napplication is a web-based, SEC-internal application used by Enforcement for\ncase management and tracking. It is accessible to all Enforcement staff, allowing\neach staff member to manage its assigned caseload directly, and also provides\nsearch and \xe2\x80\x9cread only\xe2\x80\x9d access to the entire Enforcement staff Division\xe2\x80\x99s caseload.\nThe HUB application provides Enforcement staff \xe2\x80\x9creal time\xe2\x80\x9d access to their cases,\nand could not be taken offline to conduct our assessment. Consequently, OIT\nprovided an exact duplicate of the application and supporting database in OIT\xe2\x80\x99s\ntest environment for use by the OIG in this assessment.\n\nC5i\xe2\x80\x99s assessment was performed using commercial off-the-shelf products 23 that\nare widely used throughout the industry to conduct this type of application\nassessment. The assessment was performed onsite at SP and began on July 23,\n2010 at approximately 9:00 p.m., eastern daylight time. C5i initially encountered\nproblems accessing the copy of the application data that was residing in the\ntest/staging environment, but were able to resolve the issues in coordination with\nOIT. The assessment was successfully completed on July 24, 2010. The\nassessment of the HUB application identified a significant vulnerability, as\ndescribed below.\n\nThe HUB Application Does Not Use a Defined Character Set. A character set\n(also referred to as \xe2\x80\x98Charset\xe2\x80\x99) is a common coding language that can be\ntranslated and understood across various applications and platforms. The HUB\napplication does not define a character set. Instead, the HUB application uses\nHyperText Markup Language (HTML) to access web applications.\n\nThe use of a common character set becomes important when a user accesses\nthe HUB application. When a user enters a username and password to log on\nthe HUB application, HTML uses a universal coding language to translate the\nuser input into code that the computer understands (i.e., ones and zeros). This is\n23\n  The tools used to assess the application were\nAssessment of the SEC\xe2\x80\x99s Privacy Program                           September 29, 2010\nReport No. 485\n                                                  Page 14\n\x0cthen translated back to HTML when the data is returned to the Web browser (i.e.\nInternet Explorer), and the user is then logged into the system.\n\nLack of a common character set becomes problematic because if a response\nfrom the computer states that it contains HTML content but does not specify a\ncharacter set, the browser may then analyze the HTML and attempt to determine\nwhich character set it appears to be using. Even if the majority of the HTML\nactually employs a standard character set, the presence of non-standard\ncharacters anywhere in the response may cause the browser to interpret the\ncontent using a different character set, allowing for improper translation, which\ncan lead to unexpected results and possible security vulnerabilities in which non-\nstandard encodings can be used to bypass the HUB\xe2\x80\x99s defensive filters.\n\n         Recommendation 4:\n\n         The Office of Information Technology should improve the HUB application\n         by defining a standard recognized character set for every response\n         containing Hypertext Markup Language content.\n\n         Management Comments. The COO/Acting CIO concurred with this\n         recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased the COO/Acting CIO concurred with this\n         recommendation.\n\nFinding 4: The Base Images Currently Being\nDeployed to SEC Laptops are Out Of Date and Not\nCompliant with OMB Regulations\n         Critical updates have not been applied to the base images\n         being deployed by OIT, nor are they FDCC compliant.\n\nC5i found through its assessment that the base image 24 deployed by OIT to SEC\nlaptops and desktops did not comply with the OMB FDCC mandate. 25 C5i found\nthat laptops that are distributed to SEC employees are provided with an image\nthat does not meet FDCC requirements including installation of current approved\nvendor patches and updates. Further, the review identified that OMB\xe2\x80\x99s FDCC\nrequirements, enacted to ensure that all equipment deployed throughout the U.S.\n24\n   A base image is the standardized image used by OIT to install on new laptops and desktops deployed by\nOIT staff. A base image contains the operating system and all standard software that has been approved\nfor use at the SEC.\n25\n   The FDCC, an OMB mandate, requires that all Federal Agencies standardize the configuration of\napproximately 300 settings on each of their Windows XP and Vista Computers. The reason for this\nstandardization is to strengthen Federal IT security by reducing opportunities for hackers to access and\nexploit government computer systems.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                   September 29, 2010\nReport No. 485\n                                                Page 15\n\x0cFederal Government has a single, standardized configuration, have not been\nachieved.\n\nOMB\xe2\x80\x99s memorandum M-07-11, \xe2\x80\x9cImplementation of Commonly Accepted Security\nConfigurations for Windows Operating Systems,\xe2\x80\x9d directs agencies to improve\ntheir information security posture and reduce overall IT operating costs. The\nmemorandum further directs agencies that have Windows XP deployed and plan\nto upgrade to the Vista operating system to adopt the security configurations\ndeveloped by NIST, the Department of Defense and the Department of\nHomeland Security, referred to as FDCC. 26\n\nDuring the assessment in June 2010, OIT provided two newly-imaged laptops at\nLARO to complete the evaluation of base images deployed within the SEC for\nevaluation.\n\nUpon completing the assessment at LARO, C5i found that vendor patches and\nupdates supplied by Microsoft and required for FDCC compliance had not been\nimplemented. In addition, in July 2010, C5i conducted the same assessment of\nthree workstations, located at SP. This assessment found that these desktops\nwere also missing required patches and updates supplied by Microsoft and,\ntherefore, not FDCC compliant.\n\nOMB Memorandum M-09-29, \xe2\x80\x9cFY2009 Reporting Instruction for the Federal\nInformation Security Management Act and Agency Privacy Management\xe2\x80\x9d states\n\xe2\x80\x9cAgencies must document and provide NIST with any deviations from the\ncommon security configurations (send documentation to checklists@nist.gov)\nand be prepared to justify why they are not using them.\xe2\x80\x9d 27 C5i was able to\nconfirm that the SEC does maintain a list of exceptions/deviations from the\ncommon security standards (i.e., FDCC). However, C5i found that OIT has not\nsubmitted its deviations from FDCC to NIST, as required by OMB.\n\n        Recommendation 5:\n\n        The Office of Information Technology must update the base images for all\n        laptops and workstations prior to deployment to ensure Federal Desktop\n        Core Configuration compliance.\n\n\n\n\n26\n   The Office of Management and Budget, Memorandum M-07-11, \xe2\x80\x9cImplementation of Commonly Accepted\nSecurity Configurations for Windows Operating Systems,\xe2\x80\x9d dated March 22, 2007.\nhttp://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-11.pdf.\n27\n   The Office of Management and Budget, Memorandum M-09-29, \xe2\x80\x9cFY2009 Reporting Instruction for the\nFederal Information Security Management Act and Agency Privacy Management,\xe2\x80\x9d dated August 20, 2009.\nhttp://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_fy2009/m09-29.pdf.\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                         September 29, 2010\nReport No. 485\n                                            Page 16\n\x0c        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\n        Recommendation 6:\n\n        The Office of Information Technology must submit a completed list of\n        common security standard deviations to the National Institute of Standards\n        and Technology per the Office of Management and Budget\xe2\x80\x99s\n        requirements.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation. However, we would request that the OIT report the\n        common security standard deviations to NIST as soon as possible.\n\nFinding 5: SEC Laptops Can Be Connected to the\nSEC Network Via LAN Port While Simultaneously\nConnected to An External Wireless Network\n        Laptops can be simultaneously connected to both a local\n        area network (LAN) port and an external wireless network,\n        exposing the SEC network to potential infiltration.\n\nDuring the assessment of unauthorized wireless access at LARO, C5i\nfound that the wireless access card in the two laptops provided by OIT for\nthe assessment did not automatically disable when the laptop is plugged\ninto the SEC network via the LAN port, although mitigating controls\npreventing bridging between the LAN and wireless interfaces inhibiting\ntraffic flow between wireless and wired networks have been put in place.\n\nC5i found that the wireless cards installed on laptops were in the state of\n             which provides potential attackers access to the SEC\xe2\x80\x99s\nnetwork and data. An active directory automated script should be\ndeveloped that would disable the wireless card on the laptop as soon as\nthe laptop is plugged into the SEC network via the LAN port.\n\nThe NIST Recommended Security Controls for Federal Information Systems and\nOrganizations provides the following guidance regarding Wireless Access\ncontrols:\nAssessment of the SEC\xe2\x80\x99s Privacy Program                             September 29, 2010\nReport No. 485\n                                          Page 17\n\x0c        The organization--\n\n               a. Establishes usage restrictions and implementation guidance for\n                  wireless access;\n               b. Monitors for unauthorized wireless access to the information\n                  system;\n               c. Authorizes wireless access to the information system prior to\n                  connection; and\n               d. Enforces requirements for wireless connections to the information\n                  system. 28\n\nFailure to adhere to this guidance exposes the SEC\xe2\x80\x99s network to potential\ncompromise by a malicious attacker without knowledge of the user. An attacker\nlooking for open wireless connections is able to see this open wireless\nconnection and use it to access and compromise the laptop, and potentially the\nSEC network without user knowledge.\n\n        Recommendation 7:\n\n        The Office of Information Technology should turn off the wireless card\n        installed on laptops when the laptops are connected to the Securities and\n        Exchange Commission network via a Local Area Network port.\n\n        Management Comments. The COO/Acting CIO did not concur with this\n        recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We urge the COO/Acting CIO to reconsider its\n        objection and turn off the wireless card installed on laptops as we\n        recommend. Our review found that the wireless access card in the\n        two laptops provided by OIT for the assessment did not\n        automatically disable when the laptop was plugged into the SEC\n        network, thus providing potential access to the SEC\xe2\x80\x99s network and\n        data. The solution we recommend removes any vulnerability as a\n        result of this finding. We are pleased that OIT has agreed to\n        research additional security precautions that may be enabled for\n        the wireless configuration.\n\n\n\n\n28\n   National Institute of Standards and Technology\xe2\x80\x99s (NIST), Special Publication 800-53, revision 3,\nRecommended Security Controls for Federal Information Systems and Organization,\nhttp://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                  September 29, 2010\nReport No. 485\n                                               Page 18\n\x0cFinding 6: Improper Handling of PII Data at LARO\n       PII Data is being improperly handled, stored, encrypted, and\n       emailed at LARO.\n\nPII Data is Contained on Shared Drives Without Access\nControls, Allowing all LARO Employees Unfettered Access to\nDocuments Saved to the      Drive and to Other Employees\xe2\x80\x99\nArchived Email.\nDuring the network and laptop assessments at LARO in June, 2010, C5i ran\nscans on the shared drive     to verify whether or not PII data was contained in\nshared resources and that access controls were properly enforced to ensure that\nonly those who have a need to access the data have that ability.\n\nHaving shared drives is a common practice for organizations as it provides a\nrepository for work that is on the network, and is backed up regularly, therefore\nreducing the possibility of data loss in the event of a computer crash. It also\nprovides storage for employees of their work product so as not to use up the\navailable hard drive and memory on their workstations/laptops in storing large\namounts of information.\n\nMost shared drives are set up providing certain levels of access to particular\nindividuals, so that all members of a team working on a certain project can\naccess data as their job function requires. Access to project folders on the\nshared drives can be limited to the specific team members/employees associated\nwith that project. This is a common practice called \xe2\x80\x9cLeast Privilege,\xe2\x80\x9d and is a\nbest practice that is used to lessen the possibility of confidential data\ncompromise, exposure, or leaks from within the agency to outside sources.\n\nThe NIST Recommended Security Controls for Federal Information Systems and\nOrganization provides guidance to organizations on Access Control, specifically\ndefining \xe2\x80\x9cSeparation of Duties\xe2\x80\x9d and \xe2\x80\x9cLeast Privilege:\xe2\x80\x9d\n\nAccess Control\n\n        AC-5 Separation of Duties\n              a. Separates duties of individuals as necessary, to prevent\n              malevolent activity without collusion;\n              b. Documents separation of duties; and\n              c. Implements separation of duties through assigned information\n              system access authorizations.\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                            September 29, 2010\nReport No. 485\n                                          Page 19\n\x0c        AC-6 Least Privilege\n              The organization employs the concept of least privilege, allowing\n              only authorized accesses for users (and processes acting on behalf\n              of users) which are necessary to accomplish assigned tasks in\n              accordance with organizational missions and business functions. 29\n\nSEC II 24-04.06.3, Access Control, provides guidance on access controls:\n\n        Restricted File Access - All SEC information systems will prevent non-\n        privileged accounts/users from modifying system level files and accessing\n        system data and resources without a valid need-to-know. Where\n        technically feasible, information access on SEC information systems will\n        be restricted according to user role rather than by specific user identity.\n\nIn the assessment, C5i found that there are specific drives and folders setup for\nemployees to store and access case data; however, they also discovered that\nemployees are saving PII and case/project specific files on the    drive, to which\nall employees at LARO have access.\n\nIn addition to the project files, employees have also backed up their email\narchives (Personal Storage Tab files) to the     drive, and are therefore providing\nall other LARO employees unfettered access to their email archive. These email\narchives contain all emails sent during a specific timeframe \xe2\x80\x93 not necessarily\npertaining to just one subject. Therefore, these archives will not only contain\nemails concerning certain work projects, but could also contain emails of a highly\nconfidential manner, e.g., employee performance, upcoming staff restructure and\npersonal email.\n\nIf PII or confidential data is going to be stored on the   drive, access control\nrights need to be modified to provide Least Privilege. Permitting access without\nexercising Least Privilege puts the data at risk for compromise (either accidental\nor malicious), or in the case of any confidential emails, misuse by a disgruntled\nemployee or someone looking to discredit another person.\n\nIf an employee has malicious intent, with the current lack of access controls they\ncan copy all the files from the shared drive, not just their own projects\xe2\x80\x99 data.\nMoreover, an outsider can gain access if a computer is logged into the network\nbut is not secured and they would be able to copy all of the files without being\ndetected. Accordingly, all of the data on the shared drive may be compromised.\n\n\n\n\n29\n   See also National Institute of Standards and Technology\xe2\x80\x99s (NIST) Special Publication 800-53, revision 3,\nRecommended Security Controls for Federal Information Systems and Organization, page\nhttp://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                September 29, 2010\nReport No. 485\n                                               Page 20\n\x0c        Recommendation 8:\n\n        The Office of Information Technology should implement an agency-wide\n        policy regarding shared folder structure and access rights. Network \xe2\x80\x9cLeast\n        Privilege\xe2\x80\x9d access should be put in place to ensure that only the employees\n        involved with a particular case have access to that data. If an employee\n        backs up additional information to the shared resource, only they and their\n        supervisor should have access.\n\n        Management Comments. The COO/Acting CIO partially concurred with\n        the recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO plans to\n        implement an agency-wide policy regarding shared folder structures and\n        access rights. While we are sensitive to the COO/Acting CIO concerns\n        that limiting access to shared drives may impact business and group\n        processes, we would encourage the COO/Acting CIO to reconsider\n        approving such limitations as this approach would ensure that the data\n        would not be compromised.\n\n        We are pleased that the COO/Acting CIO plans to conduct a risk\n        assessment of its network to evaluate this issue and find ways to reduce\n        the risks identified in this finding.\n\n        Recommendation 9:\n\n        The Office of Information Technology will ensure Personal Storage Tab\n        (.PST) files should be saved to a protected folder.\n\n        Management Comments. The COO/Acting CIO did not concur with the\n        recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. While we are sensitive to the COO/Acting CIO\xe2\x80\x99s concern\n        that requiring .PST files to be saved to a protected folder may impact\n        business and group process, we urge the COO/Acting CIO to reconsider\n        its opposition to this solution to the risk identified in this finding. We are\n        pleased that the COO/Acting CIO intends to research this matter and\n        plans to identify a course of action to protect the sensitive information\n        contained in these files.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                September 29, 2010\nReport No. 485\n                                          Page 21\n\x0cLARO Employees are Violating Policy by Sending Documents\nContaining PII to Personal Email Accounts and Using Portable\nMedia that is Not Being Encrypted.\n        Emailing PII data or sensitive data to a personal email\n        address or account is in direct violation of the SEC Rules of\n        the Road. LARO follows the SEC policy of forced encryption\n        for all portable media; however, it not being adhered to by\n        staff.\n\nAnother phase of the LARO network and workstation assessment was to verify if\nthere was any mishandling of PII data through email, e.g., emailing documents\ncontaining PII insecurely. This involved analyzing the Personal Storage Tab files\non the shared drives, as well as reviewing the email logs of sent and received\nmessages and any attachments in staff email accounts.\n\nThrough this effort, C5i discovered two issues \xe2\x80\x93 emailing of PII to personal email\naccounts and a lack of encryption of emails. In order to protect the privacy of\nsensitive PII data, C5i provided examples to OIT as evidence of their findings;\nhowever, examples were not included in the report due to the sensitivity of the\ninformation. Examples of PII data we found that were stored in unsecured file\ncabinets and an unsecured office space can be found in Appendix II.\nFurthermore, in interviews with an IT specialist at LARO, C5i discovered that staff\nis unhappy and frustrated with the current forced encryption solution \xe2\x80\x93\nand has become impatient with how long it takes to save documents to portable\nmedia when they need to go out in the field. As a result, some employees have\nbeen saving unencrypted versions of the data on to CD\xe2\x80\x99s, which were found to be\nleft unsecured on desktops during the physical assessment at LARO. In\naddition, C5i discovered that while data is received on encrypted CD\xe2\x80\x99s, staff\nmakes multiple unencrypted copies for use during the investigations.\n\nStaff Sending Unencrypted Documents to Personal Email Accounts.\nRather than saving documents to removable media in an encrypted format, C5i\nfound, in an email archive, that an attorney emailed unencrypted documents to a\npersonal email address. This is a violation of SEC policy and a potentially\nreckless practice.\n\nSECR 24-04-A01, SEC Rules of the Road, specifically states \xe2\x80\x9cDO NOT use e-\nmail to send material that is sensitive or that contains personally identifiable\ninformation (PII) to your personal e-mail account(s).\xe2\x80\x9d\n\nShould the personal computer of the individual be compromised (malware, virus,\netc.) in any way, the PII data, as well as any other sensitive information emailed\nwould result in a data breach that the individual may not be aware of. Also, if the\nemployees\xe2\x80\x99 login credentials for their personal email are compromised in any\nAssessment of the SEC\xe2\x80\x99s Privacy Program                            September 29, 2010\nReport No. 485\n                                          Page 22\n\x0cway, this information would be readily available and could be used against the\ncommission maliciously, as well as possibly compromise an investigation.\n\nUnencrypted Portable Media. In September 2008, the OIT CTO sent a\nmemorandum to all SEC Division/Office Directors and Regional Directors\noutlining the SEC\xe2\x80\x99s portable media encryption policy. At that time, the regional\noffices were given two options \xe2\x80\x93 forced encryption of all portable media or\noptional encryption that is determined by the user. LARO adopted the SEC\nPolicy of Forced Encryption for all portable media.\n\nA physical walkthrough of the LARO office space, (cubes, offices, work areas, file\nrooms), was conducted on Saturday, and Sunday, June 26-27, 2010. With the\nexception of the file storage in                                  of the building,\nonce inside the occupied space using card key access, we found that none of the\noffices were locked.\n\nUpon inspection of the areas, we found CD\xe2\x80\x99s containing documentation\npertaining to current investigations on desks, on top of file cabinets, file boxes,\netc., all easily accessible. A random sampling of CD\xe2\x80\x99s was examined by opening\nthe CD\xe2\x80\x99s using the assessment laptops and none of them were encrypted. 30\n\nWhile the random sampling of CD\xe2\x80\x99s did not contain any PII data, nevertheless,\nLARO has a policy of forced encryption of all portable media, and the fact that\nthese CD\xe2\x80\x99s were unencrypted violates that policy.\n\nWhile we did not find PII in our sampling, the ability to make unencrypted copies\nof CD\xe2\x80\x99s containing sensitive information is a dangerous practice \xe2\x80\x93 especially\nmultiple copies. It is impossible for anyone to know all the information contained\non a CD and whether or not there is PII, as well as keeping track of multiple\ncopies of data. One of the copies can be lost or misplaced or removed from the\noffice, putting that data a serious risk for a breach.\n\n        Recommendation 10:\n\n        The Los Angeles Regional Office (LARO) Director should reemphasize the\n        SEC Rules of the Road to LARO staff through training and awareness\n        programs and the policy needs to be strongly enforced.\n\n        Management Comments. LARO concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the LARO concurred with this\n        recommendation.\n\n30\n  C5i was unable to determine if the CD\xe2\x80\x99s were created prior to the LARO\xe2\x80\x99s implementation of the SEC\nPolicy of Forced Encryption for all portable media.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                              September 29, 2010\nReport No. 485\n                                              Page 23\n\x0c        Recommendation 11:\n\n        The Los Angeles Regional Office Director should enforce its encryption\n        policy to protect sensitive data the Securities and Exchange Commission\n        receives.\n\n        Management Comments. LARO concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the LARO concurred with this\n        recommendation.\n\n        Recommendation 12:\n\n        The Chief Operating Officer should implement a policy that all portable\n        media must be fully secured (i.e., locked in file cabinets) when not in use.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\n        Recommendation 13:\n\n        The Chief Operating Officer should appoint a privacy point of contact at\n        each regional office to ensure compliance with Commission policies and\n        procedures.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\nHard Copy, Physical Documents Containing PII Are Unsecured\n\n        Due to the nature of the Commission\xe2\x80\x99s work, the need for\n        hard copy documents for investigations is necessary, but\n        there is a lack of physical security for the boxes of files, as\n        well as individual documents and portable media (CD).\n\nIn the walk-through of LARO, C5i assessed the physical office space on the\npartial floors occupied by the SEC               and the full floors      , as\nwell as                            file storage rooms. The           storage\nAssessment of the SEC\xe2\x80\x99s Privacy Program                              September 29, 2010\nReport No. 485\n                                          Page 24\n\x0croom is accessible with card key access and the \xe2\x80\x9ccages\xe2\x80\x9d where the archives are\nstored are secured by padlock, to which only IT and facilities staff has keys. The\n         storage area is accessible by access card, and all SEC employees\nhave access to this area.\n\nThe SEC has an approved and implemented policy on the protection of sensitive\ndata as follows:\n\n        II 24-04.02.01 (01.0) SEC Implementing Instruction \xe2\x80\x93 Sensitive\n        Data Protection states \xe2\x80\x9cAll SEC sensitive information is protected in\n        a manner commensurate with its sensitivity, value, and criticality,\n        regardless of the media on which it is stored, the information\n        systems that process, store, or transmit the information, or the\n        methods by which the information is moved.\xe2\x80\x9d\n\nAs well, the SEC Rules of the Road address the proper handling of PII provide as\nfollows:\n\n        SECR 24-04-A01 SEC Rules of the Road reinforces this by stating:\n\n        \xe2\x80\xa2   Do Not leave PII material in uncontrolled areas.\n        \xe2\x80\xa2   Do Not grant access to PII material to individuals who are not\n            authorized to handle such information.\n\nOn the SEC-occupied floors, there are open work areas, including employee\noffices/cubes, libraries, and large file rooms containing files pertaining to current\nLARO investigations. During the walk-through, C5i found the following areas of\nconcern.\n\nUnsecured Documents and Files. The rooms designated as \xe2\x80\x9cfile rooms\xe2\x80\x9d on the\noccupied floors are not secured. They do not require card key access and the\ndoors are left wide open. These rooms contain hard copy evidence pertinent to\ncurrent investigations. The sheer volume of the files in these rooms means it\nwould be very difficult for anyone to realize in a timely manner whether\ninformation had been removed.\n\nAdditionally, boxes of files in hallways and unsecured offices. Again, these are\nfiles pertaining to current investigations, and having them unsecured can lead to\nserious data compromise.\n\nIn the library areas, C5i found spreadsheets containing PII left on work tables.\nThese spreadsheets contained PII such as: full names and addresses, account\nnumbers, and tax ID/social security numbers. This is information that is highly\ndesirable to anyone with the intent of identity theft. C5i also found documents\ncontaining PII left on fax machines and on desk chairs for filing. Any of these\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                               September 29, 2010\nReport No. 485\n                                          Page 25\n\x0cdocuments could have been removed, duplicated, or the data contained copied\nby a person with malicious intent by anyone who has approved access to the\noffice area, which not only includes SEC employees, but also cleaning crews,\nsecurity guards, and other approved personnel.\n\n        Recommendation 14:\n\n        The Los Angeles Regional Office (LARO) Director should ensure all file\n        rooms and file cabinets at LARO are secured.\n\n        Management Comments. LARO concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the LARO concurred with this\n        recommendation.\n\n        Recommendation 15:\n\n        The Los Angeles Regional Office Director should ensure that boxes of\n        files stored in hallways are moved to secured areas.\n\n        Management Comments. LARO concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the LARO concurred with this\n        recommendation.\n\n        Recommendation 16:\n\n        The Chief Operating Officer should either implement a clean desk policy to\n        ensure sensitive information is properly secured, or require that all offices\n        be locked when not occupied.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\n        Recommendation 17:\n\n        The Chief Operating Officer should conduct additional training to ensure\n        that staff fully understands the rules and policies concerning the handling\n        of Personally Identifiable Information and sensitive data and their\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                              September 29, 2010\nReport No. 485\n                                          Page 26\n\x0c        responsibilities in protecting the Securities and Exchange Commission\n        information.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\nFinding 7: The SEC Has No Final Policies or\nProcedures for the Destruction of Portable Media\nStorage Devices\n        The SEC does not have formal, documented, approved, and\n        well-communicated policies or procedures for the destruction\n        of portable media storage devices.\n\nSEC staff regularly use portable media storage devices, such as thumb drives\nand CD\xe2\x80\x99s, to save files, including files containing sensitive, confidential, non-\npublic, and/or PII data. C5i found that the SEC does not have a formal,\ndocumented, or approved policy for destruction of portable media storage\ndevices in place, contrary to NIST standards and security best practices.\n\nThe NIST Recommended Security Controls for Federal Information Systems and\nOrganization also provides guidance on Media Protection. This guidance also\nsuggests, \xe2\x80\x9cThe organization develops, disseminates, and reviews/updates: a. A\nformal, documented media protection policy that addresses purpose, scope,\nroles, responsibilities, management commitment, coordination among\norganizational entities, and compliance; and b. Formal, documented procedures\nto facilitate the implementation of the media protection policy and associated\nmedia protection controls.\xe2\x80\x9d 31\n\nThe SEC Implementing Instructions \xe2\x80\x93 Sensitive Data Protection, II 24-04.02.01\n(01.0), April 6, 2006, provides instructions on the protection of sensitive data and\nthe need for shredding of sensitive data. The Implementing Instructions state,\n\xe2\x80\x9cDisposal/Destruction. Sensitive materials must be destroyed by shredding or by\nother approved means that provide a similar level of destruction.\xe2\x80\x9d\n\nDuring the review, C5i found that OIT has drafted operating procedures\nconcerning the destruction of portable media devices titled, Hard Drive Wiping\n\n\n31\n   NIST, Special Publication 800-53, revision 3, Recommended Security Controls for Federal Information\nSystems and Organization, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                               September 29, 2010\nReport No. 485\n                                              Page 27\n\x0cand Media Destruction. 32 These draft operating procedures outline OIT\xe2\x80\x99s\nproposed policy for disposal of media storage devices; however, they do not\nidentify the roles and responsibilities of the originator, i.e., the employee. In\naddition, this draft operating procedure has not been formalized or approved by\nsenior management.\n\nC5i found during interviews in July and August 2010 with SEC Headquarters\n(HQ) staff members that HQ staff did not know where or how to properly dispose\nof portable media storage devices containing sensitive information. Furthermore,\nthe physical inspection of HQ, the OPC, and LARO found that secured\ncontainers for the shredding and/or disposal of portable media storage devices\nwere not conveniently allocated throughout the facilities.\n\nThe lack of formal, documented, and well-communicated policies and procedures\ncould result in the mishandling and improper disposal of media containing\nsensitive and/or PII data. In addition, the lack of conveniently locatable, secured\ncontainers could discourage individuals from properly disposing of portable\nmedia storage devices, and increase the likelihood of unauthorized individuals\naccessing sensitive and PII data.\n\n        Recommendation 18:\n\n        The Office of Information Technology should finalize, approve and\n        implement its operating procedures for Hard Drive Wiping and Media\n        Destruction, and make staff aware of the procedures and their roles and\n        responsibilities for the disposal of portable media storage devices. These\n        operating procedures should include information concerning the roles and\n        responsibilities of all Commission employees in the proper destruction of\n        portable media storage devices.\n\n        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\n        Recommendation 19:\n\n        The Office of Information Technology should provide Commission staff\n        training on the handling, disposal, and storage of portable media storage\n        devices.\n\n\n\n32\n  DRAFT Operating Procedure: Hard Drive Wiping and Media Destruction, OP 24-05.02.06.10 (01.0) \xe2\x80\x93\nJanuary 26, 2010.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                         September 29, 2010\nReport No. 485\n                                           Page 28\n\x0c        Management Comments. The COO/Acting CIO concurred with this\n        recommendation. See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the COO/Acting CIO concurred with\n        this recommendation.\n\n        Recommendation 20:\n\n        The Office of Administrative Services should provide secured bins for the\n        disposal of portable media storage devices that are easily accessible to all\n        Commission employees and the use and locations of these bins should be\n        clearly communicated to all employees.\n\n        Management Comments. OAS concurred with this recommendation.\n        See Appendix VI for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that the OAS concurred with this\n        recommendation.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                             September 29, 2010\nReport No. 485\n                                          Page 29\n\x0c                                                                       Appendix I\n\n\n                                          Acronyms\nC&A                       Certification and Accreditation\nCIO                       Chief Information Officer\nCISO                      Chief Information Security Officer\nCPO                       Chief Privacy Officer\nCSIRT                     Computer Security Incident Response Team\nCVE                       Common Vulnerabilities and Exposures\nCVSS                      Common Vulnerability Scoring System\nFDCC                      Federal Desktop Core Configuration\nFIPS                      Federal Information Processing Standards\nHP                        Hewlett-Packard\nHQ                        Headquarters\nLARO                      Los Angeles Regional Office\nNIST                      National Institute of Standards and Technology\nNVA                       Network Vulnerability Assessment\nNVD                       Network Vulnerability Database\nOASA                      Onsite Application Security Assessment\nOGC                       Office of General Counsel\nOIG                       Office of Inspector General\nOIT                       Office of Information Technology\nOMB                       Office of Management and Budget\nOPC                       Operations Center\nOWASP                     Open Web Application Security Project\nPAW                       Privacy Assessment Worksheet\nPDT                       Pacific Daylight Time\nPIA                       Privacy Impact Assessment\nPII                       Personally Identifiable Information\nPIRT                      Privacy Incident Response Team\nROE                       Rules of Engagement\nSAOP                      Senior Agency Official for Privacy\nSEC                       Securities and Exchange Commission\nSORN                      System of Records Notice\nSP                        Station Place\nUSGCB                     United States Government Configuration Baseline\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                            September 29, 2010\nReport No. 485\n                                           Page 30\n\x0c                                                                  Appendix II\n\n\n                       Examples of PII Violations\n\n                 Figure 1: Unsecured Files Found in the Open\n                 Containing PII Data at LARO\n\n\n\n\n                 Source: Generated by C5i\n\n\n\n\n                Figure 2: Unsecured Files at LARO\n\n\n\n\n                 Source: Generated by C5i\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                        September 29, 2010\nReport No. 485\n                                            Page 31\n\x0c                                                                                 Appendix III\n\n\n                          Scope and Methodology\n\nScope. The scope of our review covered calendar year 2008 to July 2010 and\nincludes the SEC headquarters offices and divisions (includes the OPC and\nLARO). To ensure the protection of the Commission\xe2\x80\x99s employees, contractors\nand customer\xe2\x80\x99s PII information, our scope also included a review of OIT\xe2\x80\x99s\noversight of Commission offices and divisions and the SEC\xe2\x80\x99s governing privacy\npolicies and procedures, NIST guidance, OMB guidelines and other governing\nguidance and regulations. Our review also included select workstations, laptops\nand servers. We further performed a network vulnerability assessment at LARO\nand OPC to evaluate the security posture of the SEC\xe2\x80\x99s network in handling and\nprotecting PII data. Lastly, we followed up on a previous issued OIG report\xe2\x80\x99s\nrecommendations that pertained to privacy and the protection of PII data. 33\n\nMethodology. In evaluating the adequacy of the SEC\xe2\x80\x99s privacy policies and\nprocedures, OIT\xe2\x80\x99s interaction and involvement with the Commission\xe2\x80\x99s offices and\ndivisions we identified the universe of where privacy data resides and conducted\nan assessment of the area. We further interviewed OIT staff to ascertain their\nknowledge of federal guidance on the protection of PII information and the proper\nprocedures for protecting PII. We also reviewed the Annual Privacy Awareness\nTraining guidance and policy that is issued to SEC employees and contractors, to\nverify that it addressed all issues surrounding the responsibility of Commission\nemployees and contractors to protect PII information.\n\nTo meet the objective of performing an in depth analysis of privacy requirements\nand to identify the SEC\xe2\x80\x99s process and procedures that are used to conduct\nprivacy reviews, we interviewed OIT staff, conducted a physical inspection of the\noffice space that is occupied by SEC staff at LARO, conducted an assessment of\nthe LARO network servers, and conducted an assessment on a sample selection\nof its deployed and un-deployed workstations. To ensure compliance with SEC\npolicies and procedures regarding the handling and protection of PII data we\nconducted a physical inspection at LARO by walking through offices and storage\nareas. We documented our findings by taking photographic evidence of PII\ninformation that was not properly stored.\n\nFurther, to meet the objective to assess whether the SEC has developed and\nimplemented technical, managerial, or operational privacy-related controls to\neffectively mitigate know risks that are inherent to the Privacy Act\xe2\x80\x99s system of\nrecords, C5i assessed 66 workstations/laptops, 8 servers, and 2 freshly imaged\nlaptops, which provided an in-depth picture of LARO\xe2\x80\x99s network security posture.\nWe further conducted a vulnerability assessment at the OPC. We also reviewed\n33\n  SEC Report No. 475, Evaluation of the SEC Privacy Program, March 26, 2010.\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                        September 29, 2010\nReport No. 485\n\n                                             Page 32\n\x0c                                                                     Appendix III\n\nthe shared drive     to verify access controls in protecting information and\nbacked up Outlook Personal Storage Tab files to ensure that PII transmitted via\nemail was properly protected. Lastly, we conducted a HUB application\nassessment to evaluate the security posture of the application in protecting PII\ndata.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                           September 29, 2010\nReport No. 485\n\n                                          Page 33\n\x0c                                                                      Appendix IV\n\n\n                            Criteria and Guidance\n\nC5i used the following guidelines for this evaluation:\n\n    \xe2\x80\xa2   OMB Memorandum 07-11, \xe2\x80\x9cImplementation of Commonly Accepted\n        Security Configurations for Windows Operating System\xe2\x80\x9d\n    \xe2\x80\xa2   OMB Memorandum 08-22, \xe2\x80\x9cGuidance on the Federal Desktop Core\n        Configuration\xe2\x80\x9d\n    \xe2\x80\xa2   OMB Memorandum 09-29, \xe2\x80\x9cFY2009 Reporting Instructions for the Federal\n        Information Security Management Act and Agency Privacy Management\xe2\x80\x9d\n    \xe2\x80\xa2   OMB Memorandum 03-22, \xe2\x80\x9cOMB Guidance for Implementing the Privacy\n        Provisions of the E-Government Act of 2002\xe2\x80\x9d\n    \xe2\x80\xa2   NIST SP 800-70. \xe2\x80\x9cNational Checklist Program for IT Products\xe2\x80\x94Guidelines\n        for Checklist Users and Developers\xe2\x80\x9d\n    \xe2\x80\xa2   NIST SP 800-122, \xe2\x80\x9cGuide to Protecting the Confidentiality of Personally\n        Identifiable Information\xe2\x80\x9d\n    \xe2\x80\xa2   NIST SP 800-53 Rev 3, \xe2\x80\x9cRecommended Security Controls for Federal\n        Information Systems\xe2\x80\x9d\n    \xe2\x80\xa2   NIST SP 800-40, \xe2\x80\x9cCreating a Patch and Vulnerability Management\n        Program\xe2\x80\x9d\n    \xe2\x80\xa2   NIT SP 800 -111, \xe2\x80\x9cGuide to Storage Encryption Technologies for End\n        User Devices\xe2\x80\x9d\n    \xe2\x80\xa2   The Privacy Act of 1974\n    \xe2\x80\xa2   Computer Security Act of 1987\n    \xe2\x80\xa2   SEC/OIT, Privacy Impact Assessment Guide, January 2007\n    \xe2\x80\xa2   SEC Privacy Analysis Worksheet Template\n    \xe2\x80\xa2   SEC Privacy Impact Assessment Template\n    \xe2\x80\xa2   Safeguarding Personally Identifiable Information (PII)\n    \xe2\x80\xa2   SEC Rules of the Road\n    \xe2\x80\xa2   SEC Regulation 23-2a, Safeguarding Non-Public Information\n    \xe2\x80\xa2   SEC, IT Security Implementing Instruction, II 24-04.02.01 (01.0), Sensitive\n        Data Protection\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                            September 29, 2010\nReport No. 485\n                                          Page 34\n\x0c                                                                       Appendix V\n\n\n                        List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology should apply patches and updates to the\nCommission\xe2\x80\x99s networks, workstations, and laptops on a timely basis. All future\npatches should be applied within        of vendor release, with emergency\npatches being applied on an ad-hoc basis to protect the agency\xe2\x80\x99s systems and\ndata.\n\nRecommendation 2:\n\nThe Office of Information Technology should implement formal processes and\nprocedures to regularly review whether a newly-released patch should or should\nnot be applied to the environment.\n\nRecommendation 3:\n\nThe Office of Information Technology should evaluate its risk assessment\nprocess for scoring risk to ensure that it adequately weights all appropriate\nfactors, including the identification of risk levels by vendors.\n\nRecommendation 4:\n\nThe Office of Information Technology should improve the HUB application by\ndefining a standard recognized character set for every response containing\nHypertext Markup Language content.\n\nRecommendation 5:\n\nThe Office of Information Technology must update the base images for all\nlaptops and workstations prior to deployment to ensure Federal Desktop Core\nConfiguration compliance.\n\nRecommendation 6:\n\nThe Office of Information Technology must submit a completed list of common\nsecurity standard deviations to the National Institute of Standards and\nTechnology per the Office of Management and Budget\xe2\x80\x99s requirements.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                             September 29, 2010\nReport No. 485\n                                          Page 35\n\x0c                                                                      Appendix V\n\n\nRecommendation 7:\n\nThe Office of Information Technology should turn off the wireless card installed\non laptops when the laptops are connected to the Securities and Exchange\nCommission network via a Local Area Network port.\n\nRecommendation 8:\n\nThe Office of Information Technology should implement an agency-wide policy\nregarding shared folder structure and access rights. Network \xe2\x80\x9cLeast Privilege\xe2\x80\x9d\naccess should be put in place to ensure that only the employees involved with a\nparticular case have access to that data. If an employee backs up additional\ninformation to the shared resource, only they and their supervisor should have\naccess.\n\nRecommendation 9:\n\nThe Office of Information Technology will ensure Personal Storage Tab (.PST)\nfiles should be saved to a protected folder.\n\nRecommendation 10:\n\nThe Los Angeles Regional Office (LARO) Director should reemphasize the SEC\nRules of the Road to LARO staff through training and awareness programs and\nthe policy needs to be strongly enforced.\n\nRecommendation 11:\n\nThe Los Angeles Regional Office Director should enforce its encryption policy to\nprotect sensitive data the Securities and Exchange Commission receives.\n\nRecommendation 12:\n\nThe Chief Operating Officer should implement a policy that all portable media\nmust be fully secured (i.e., locked in file cabinets) when not in use.\n\nRecommendation 13:\n\nThe Chief Operating Officer should appoint a privacy point of contact at each\nregional office to ensure compliance with Commission policies and procedures.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                            September 29, 2010\nReport No. 485\n                                          Page 36\n\x0c                                                                        Appendix V\n\n\nRecommendation 14:\n\nThe Los Angeles Regional Office (LARO) Director should ensure all file rooms\nand file cabinets at LARO are secured.\n\nRecommendation 15:\n\nThe Los Angeles Regional Office Director should ensure that boxes of files\nstored in hallways should be moved to secured areas.\n\nRecommendation 16:\n\nThe Chief Operating Officer should either implement a clean desk policy to\nensure sensitive information is properly secured, or require that all offices be\nlocked when not occupied.\n\nRecommendation 17:\n\nThe Chief Operating Officer should conduct additional training to ensure that staff\nfully understands the rules and policies concerning the handling of Personally\nIdentifiable Information and sensitive data and their responsibilities in protecting\nSecurities and Exchange Commission information.\n\nRecommendation 18:\n\nThe Office of Information Technology should finalize, approve and implement its\noperating procedures for Hard Drive Wiping and Media Destruction, and make\nstaff aware of the procedures and their roles and responsibilities for the disposal\nof portable media storage devices. These operating procedures must include\ninformation concerning the roles and responsibilities of all Commission\nemployees in the proper destruction of portable media storage devices.\n\nRecommendation 19:\n\nThe Office of Information Technology should provide Commission staff training\non the handling, disposal, and storage of portable media storage devices.\n\nRecommendation 20:\n\nThe Office of Administrative Services should provide secured bins for the\ndisposal of portable media storage devices that are easily accessible to all\nCommission employees and the use and locations of these bins should be\nclearly communicated to all employees.\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                              September 29, 2010\nReport No. 485\n                                          Page 37\n\x0c                                                                                 Appendix VI\n\n\n                         Management Comments\n                                    MEMORANDUM\n                                          September 23, 2010\n\n  To:             David Kotz, Inspector Genera~ OIG\n                  Jacqueline Wilson, Assistant Inspector General, OIG\n\n  From:           Jeffrey Heslop, Chief Operating Officer, OCOO & Acting Chief\n                  Information Officer, OIT\n\n   Subject:       Management Response to OIG Report 485, Privacy Program Assessment\n\n  Thank you for the opportunity to comment on the recommendations in the draft "Privacy\n  Program Assessment" report. The Office ofInformation Technology and the Office of\n  the Chief Operating Officer fully support the obligation of the SEC to protect the privacy\n  of individuals.\n\n  Out of the fifteen recommendations that fall directly within my purview, we concur with\n  twelve of them, do not concur with two, and partially concur with one. For the items we\n  do not concur with, we do think additional analysis is required to detennine our actual\n  risk posture and what alternate actions may be appropriate to bring the operational risk to\n  an acceptable level. We will begin conducting such analysis immediately.\n\n  In closing, thank you again. We appreciate the opportunity to respond to your\n  recommendations and value the results of your assessments to help manage our risk\n  posture. Responses to each recommendation are below.\n\n  Recommendation 1:\n\n  The Office ofInformation Technology should apply patches and updates to the\n  Commission\'s networks, workstations, and laptops on a timely basis. All future patches\n  should be applied within 30 days ofvendor release, with emergency patches being\n  applied on an ad-hoc basis to protect the agency\'s systems and data.\n\n   Response to Recommendation 1:\n\n   The Office ofInformation Technology concurs with this recommendation for Windows\n   based server and desktop systems. All future required patches for Windows systems will\n   be applied within 30 days from the date that OIT has reviewed and approved the patch.\n   Unix/Linux patches are released by the vendors as bundles on a quarterly basis. For\n   UNIX/Linux server systems, there are several applications that require testing by\n   business users to ensure the applications continue to function once the patch bundle has\n   been applied. All future required UNIX/Linux patches will be applied within 60 days\n   from the date that OIT has reviewed and approved the patch.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                       September 29, 2010\nReport No. 485\n                                              Page 38\n\x0c                                                                                   Appendix VI\n\n\n\n  Recommendation 2:\n\n  The Office ofInformation Technology should implement formal processes and\n  procedures to regularly review whether a newly-released patch should or should not be\n  applied to the environment.\n\n  Response to Recommendation 2:\n\n The Office ofInformation Technology concurs with this recommendation and will\n formalize the decision process to deploy or not deploy patches.\n\n Recommendation 3:\n\n The Office ofInformation Technology should evaluate its risk assessment process for\n scoring risk.\n\n Response to Recommendation 3:\n\n The Office ofInformation Technology concurs with this recommendation and will\n reevaluate its risk scoring process to include multiple factors of the risk equation.\n\n Recommendation 4:\n\n The Office ofInformation Technology should improve the HUB application by defming\n a standard recognized character set for every response containing Hypertext Markup\n Language content.\n\n Response to Recommendation 4:\n\n The Office ofInformation Technology concurs with this recommendation. We have\n defined and tested a recognized character set for HUB. It will be deployed into\n production by 15 October 2010.\n\n Recommendation 5:\n\n The Office ofInformation Technology must update the base images for all laptops and\n workstations, prior to deployment, to ensure Federal Desktop Core Configuration\n compliance.\n\n Response to Recommendation 5:\n\n The Office ofInfonnation Technology concurs with this recommendation. The current\n process relies on the Active Directory group policy that is applied to the system when the\n system is connected to the production network and the user logs on to the system for the\n first time. OIT will establish a process that will also incol"JXlrate FDCC compliance\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                         September 29, 2010\nReport No. 485\n                                            Page 39\n\x0c                                                                                    Appendix VI\n\n\n  settings (aside from setting exceptions that have been documented) into the local security\n  policies of our base desktop image.\n\n  Recommendation 6:\n\n  The Office ofInformation Technology must submit a completed list of common security\n  standard deviations to the National Institute of Standards and Technology per the Office\n  ofManagement\n  of Management and Budget\'s requirements.\n\n  Response to Recommendation 6:\n\n  The Office ofInfonnation Technology concurs with this recommendation. OIT\n                                                                          OtT will\n  establish configuration standards based on NIST guidance and provide NIST with any\n  deviations from such guidance by I July 2011.\n\n  Recommendation 7:\n\n  The Office ofInformation Teclmology\n                            Technology should tum off the wireless card installed on\n  laptops when the laptops are cotulected\n                               ootulected to the SEC network via a Local Area Network\n  port.\n\n  Response to Recommendation 7:\n\n  The Office ofInformation Technology does not concur with this recommendation. Our\n  current standard\' network configuration\n                            oonfiguration for laptops with wireless cards prevents access to\n  the Local Area Network interface from a wireless network by disabling the ability to\n  bridge and to route between the two network cards. However, OIT OtT will research\n  additional security precautions that may be enabled for our wireless configuration.\n\n  Recommendation 8:\n\n  The Office ofInfonnation Technology should implement an agency-wide policy\n  regarding shared folder structure and access rights. Network "Least Privilege" access\n  should be put in place to ensure that only the employees involved with a particular case\n  have access to that data. Ifan employee backs up additional information to the shared\n  resource. only they and their supervisor should have access.\n  resource,\n\n  Response to Recommendation 8:\n\n   The Office ofInfonnation Technology concurs with implementing an agency-wide\n   policy regarding shared folder structures and access rights. OIT does not concur with\n   the remainder of the recommendation. Preventing a user from being able to write to a\n  \xc2\xb7shared resource, which is what a backup is doing, could significantly impact business and\n   group processes. OIT\n                     OtT will conduct a risk assessment to determine the pervasiveness of\n   this issue and determine whether to accept the risk or implement process and/or tools to\n   reduce the risk to an acceptable level.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                          September 29, 2010\nReport No. 485\n                                            Page 40\n\x0c                                                                                     Appendix VI\n\n\n\n   Recommendation 9:\n\n  The Office of Information Technology will ensure Personal Storage Tab CPST) files\n  should be saved to a protected folder.\n\n  Response to Recommendation 9:\n\n  The Office of Infurmation Technology does not concur with this recommendation.\n  Preventing the saving of .PST files to shared drives could have a significant impact on\n  business and group processes. OIT will need to conduct some research as to the\n  pervasiveness of .PST files being stored in shared folders. Following that research, OlT\n  will identify an appropriate course of action to protect the sensitive information that may\n  be contained in them.\n\n  Recommendation 12:\n\n  The Chief Operating Officer should implement a policy that all portable media must be\n  fully secured (i.e. locked in file cabinets) when they are not in use.\n\n  Response to Recommendation 12:\n\n  The Office ofthe Chief Operating Officer concurs with this recommendation. OCOO\n  will publish a policy requiring portable media be properly secured when not in use.\n\n  Recommendation 13:\n\n  The Chief Operating Officer should appoint a Privacy point of contact at each regional\n  office to ensure compliance with Commission policies and procedures.\n\n  Response to Recommendation 13:\n\n  The Office ofthe Chief Operating Officer concurs with this recommendation. OCOO\n  will work with the regional offices to identify Privacy points of contact and document\n  their responsibilities.\n\n  Recommendation 16:\n\n  The Chief Operating Officer should either implement a clean desk policy to ensure\n  sensitive information is properly secured, or require that all offices be locked when not\n  occupied.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                           September 29, 2010\nReport No. 485\n                                             Page 41\n\x0c                                                                                    Appendix VI\n\n\n\n Response to Recommendation 16:\n\n The Office of the Chief Operating Officer concurs with this recommendation. OCOO\n will establish a policy for the proper protection of sensitive information on portable\n media or in other portable formats, such as paper.\n\n Recommendation 17:\n\n The Chief Operating Officer should conduct additional training to ensure that staff fully\n understands the rules and policies concerning the handling of PI I and sensitive data and\n their responsibilities in protecting SEC information.\n\n Response to Recommendation 17:\n\n The Office of the Chief Operating Officer concurs with this recommendation. The SEC\n already requires annual security and privacy training for all staff. In addition, the Privacy\n Officer will conduct an analysis to identify areas of staff or individuals who may require\n additional training on policies concerning the protection of sensitive information. When\n identified, they may be required to repeat their security and privacy training or receive\n more focused training as resources permit.\n\n Recommendation 18:\n\n The Office ofInformation Technology should finalize, approve and implement its\n operating procedures for Hard Drive Wiping and Media Destruction, and make staff\n aware of the procedures and their toles and responsibilities for the disposal of portable\n storage media devices. These operating procedures must include information concerning\n the roles and responsibilities of all Commission employees in the proper destruction of\n portable storage media devices.\n\n Response to Recommendation 18:\n\n The Office oflnformation Technology concurs with this recommendation. The\n procedures for media destruction will be finalized and distributed.\n\n Recommendation 19:\n\n The Office oflnformation Technology should provide Commission staff training on the\n handling, disposal, and storage of portable storage media devices.\n\n Response to Recommendation 19:\n\n The Office ofInformation Technology concurs with this recommendation. Training on\n the handling, disposal, and storage of portable media devices will be provide to support\n additional guidance being developed by OIT and OCOO.\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                          September 29, 2010\nReport No. 485\n                                            Page 42\n\x0c                                                                                    Appendix VI\n\n\n\n                                          MEMORANDUM\n\n                                          September 24, 2010\n\n\n       TO:           H. David Katz\n                     Inspector General\n\n      FROM:          SbaronSbeelwt~~\n                     Associate Executive Director\n                     Office of Administrative Services\n\n      SUBJECf:       OAS Management Response to Draft. Report No. 485, Privacy Program\n                    AM~sm~t                                    .\n\n      This memorandum is in response to the Office ofInspector General\'s Draft Report No.\n      485, Privacy Program Assessment. Thank: you for the opportunity to review and respond\n      to this report. We concur with the reconunendation addressed to OAS.\n\n      Reeommadation 20:\n\n      OAS concurs. We will assess the type. quantity and locations needed fur sccurc disposal\n      bins fur portable media devices. We will communicate to all SEC staffthe location and\n      use ofthe secure bins.\n\n\n      Cc:\n      Jeffery Heslop. auef Operating Officer\n      Rosalind T}OOIl, Regional Director, Los Angeles Regional Office\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                           September 29, 2010\nReport No. 485\n                                             Page 43\n\x0c                                                                                                   Appendix VI\n\n\n\n                            Privacy Program Assessment Audit\n                      LARO Response to Recommendations 10, 11, 14, & 15\n      Our responses to the recommendations directed to the LARO, recommendationsIO, II, 14 and 15, are\n      noted below. We would.also like to note that we object to page vi of the executive summary that states,\n      "LARO employees are routinely violating policy by sending documents containing PIT data to personal\n      email accounts and by using portable media that is not encrypted." The audit report only found one\n      instance of a LARO employee sending a document containing PIT to a personal email account; further, the\n      IG\'s contractor was unable to determine if the unencrypted CDs were created prior to the LARO\'s\n      implementation of the SEC Policy of Forced Encryption for all portable media. Accordingly, the above\n      language is overstated and unsupported and we request that it be removed.\n\n      Recommendation 10\n\n      The LARO Director should reemphasize the SEC Rules of the Road to LARO staff through training and\n      awareness programs and the policy needs to be strongly enforced.\n\n      Response to Recommendation 10\n\n      The LARO concurs with Recommendation 10.\n\n      After receiving the IG\'s draft report, the LARO Director reissued guidance to all employees on\n      compliance with Commission and regional policies and procedures on privacy and the proper handling of\n      non-public information. (The LARO Director\'s September I, 2010 and December 9, 2009 e-mails are\n      attached.) The LARO will also conduct mandatory training for all employees on compliance with\n      Commission and regional policies and procedures on privacy and the proper handling of non-public\n      information to reinforce the written guidance.\n\n      Recommendation 11\n\n      The LARO Regional Director should enforce its encryption policy to protect the sensitive data received\n      by the Commission.\n\n      Response to Recommendation 11\n\n      The LARO concurs with Recommendation II.\n\n      As stated above, after receiving the IG\'s draft report, the LARO Director reissued guidance to all\n      employees on compliance with Commission and regional policies and procedures on privacy and the\n      proper handling of non-public information. (The LARO Director\'s September 1,2010 and December 9,\n      2009 e-mails are attached.) The September 1,2010 e-mail specifically states that "in our office, we\n      follow a mandatory encryption policy for ALL portable media. Do not attempt to circumvent this\n      process." The LARO will also conduct mandatory training for all employees on compliance with\n      Commission and regional policies and procedures on privacy and the proper handling of non-public\n      information to reinforce the written guidance.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                         September 29, 2010\nReport No. 485\n                                                    Page 44\n\x0c                                                                                                Appendix VI\n\n\n  Recommendation 14\n\n  The LARO Director should ensure all file rooms and file cabinets at LARO are secured.\n\n  Respoose to Recommendadon 14\n\n  The recommended steps are not entirely within the purview of the LARD Director, as they implicate both\n  funding and security issues. The LARO Director will work with the Office ofAdministrative Services, as\n  well as the Managing Executives and Chief Operating Officer, to find and implement the best solutions\n  for properly identifying and securing hard-copy PII at the LARD. This may entail a range of steps,\n  including increased use of Iron Mountain storage, locks, access cards and additional training of staff to\n  heighten their awareness of the protections needed for PII.\n\n  Recommendation 15\n\n  The LARa Regional Director should (ensure thatl boxes of files stored in hallways should be moved to\n  secured areas.\n\n  (The bracketed and highlighted information needs to be added to the report.)\n\n  Response to Recommendation 15\n\n  The LARD concurs with Recommendation 15 but requests a clarification in the finding that formed the\n  basis of this recommendation.\n\n  Page 24 of the IO\'s draft report states that "boxes of files are amassed in hallways and unsecured offices."\n  We request that this 1aQguage be amended to clarify that there was only one discrete area that had boxes\n  in the hallway. The several unsecured offices that contain boxes are currently war rooms. Ail boxes will\n  be removed from these offices by September 30, 2010 with the exception of one office which functions as\n  a war room for the Countrywide case scheduled for trial in October 2010. We will ensure that the\n  Countrywide boxes are removed when the trial concludes.\n\n  After receiving the 10\'s draft report, the LARa Director reissued guidance to all employees on\n  compliance with Commission and regional policies and procedures on privacy and the proper handling of\n  non-public information. (The LARO Director\'s September 1, 2010 and December 9, 2009 e-mails are\n  attached) The September I, 2010 e-mail specifically states that "boxes in hallways/common areas\n  ...must be removed immediately and placed in your office or sent to Iron Mountain. We will be\n  monitoring this on a monthly basis."\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                                                      September 29, 2010\nReport No. 485\n                                                   Page 45\n\x0c                                                                    Appendix VII\n\n\n      OIG Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that the COO/Acting CIO fully concurred with 12 of the 15\nrecommendations that pertained to its office. However, we urge the COO/Acting\nCIO to reconsider its opposition to recommendation Nos. 7 and 9, and its partial\nopposition to recommendation No. 8, as the solutions we provided would remove\nany vulnerability and protect the SEC\xe2\x80\x99s information. We are pleased that the\nCOO/Acting CIO acknowledges that the risks we identified in connection with\nrecommendation Nos. 7, 8 and 9, need to be addressed and that OIT intends to\nconduct research to determine an appropriate course of action to remedy the\nconcerns we identified.\n\nWe are also pleased that the LARO Regional Director concurs with all four\nrecommendations that were addressed to her office, and has taken immediate\nsteps to provide controls to ensure PII data is properly handled and secured.\n\nAdditionally, we are pleased that OAS concurred with the recommendation\naddressed to its office and has indicated that office will provide secured bins to\ndispose of portable media storage in accessible locations within the Commission.\n\nWe believe that the implementation of all these important recommendations will\nsignificantly improve the SEC\xe2\x80\x99s ability to protect PII data and ameliorate the\nvulnerabilities identified in this review.\n\n\n\n\nAssessment of the SEC\xe2\x80\x99s Privacy Program                           September 29, 2010\nReport No. 485\n                                          Page 46\n\x0c                     Audit Requests and Ideas\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'